Hey Maxim, > I'm talking about trailers in general (though it's more about > requests than responses). Normal request (and response) > processing in nginx assumes that headers are processed before the > body, and adding trailers (which are headers "to be added later") > to the picture are likely to have various security implications.
Let's step back a bit... I have no plans to change the processing logic nor merge trailers with headers. Trailers are going to be ignored (passed, but not processed) by NGINX, not discarded. AFAIK, Apache does the same thing. Basically, at this point, trailers act as metadata for the application (browser, gRPC, 3rd-party NGINX module, etc.), with no HTTP semantics, so there are no security implications for NGINX itself. Best regards, Piotr Sikora _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
