On Wed, Oct 5, 2022 at 12:44 PM Roy T. Fielding <field...@gbiv.com> wrote: > > > On Sep 26, 2022, at 5:29 AM, ic...@apache.org wrote: > > > > Author: icing > > Date: Mon Sep 26 12:29:47 2022 > > New Revision: 1904269 > > > > URL: http://svn.apache.org/viewvc?rev=1904269&view=rev > > Log: > > *) mod_http2: new directive "H2HeaderStrictness" to control the compliance > > level of header checks as defined in the HTTP/2 RFCs. Default is 7540. > > 9113 activates the checks for forbidden leading/trailing whitespace in > > field values (available from nghttp2 v1.50.0 on). > > I am not seeing why that should be optional. It adds overhead, but it reduces > variability (for HPACK) and might prevent some downstream vulnerabilities, > IIRC. > Maybe an internal switch for testing with default on?
+1 for opt-out.
