On 06/17/2009 12:00 AM, Mark Nottingham wrote: > [ moving to squid-dev ] > > From what I can see, the site is using JavaScript to do autocomplete on > a search field. The autocomplete requests use POST, but without a body. > > With Firefox, this results in a POST request without a body; i.e., it > doesn't have transfer-encoding *or* content-length. > > Such a POST request is legal (although atypical; Safari and I think > others will include a Content-Length: 0 to signal no body explicitly). > See > <http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-06#section-4.3>. > > > I think the right thing to do here is for Squid to only 411 when there's > a transfer-encoding present; if there's no content-length, it's safe to > assume 0 length.
Would the "assume 0 length" approach make request smuggling attacks easier? Perhaps we should add Content-Length: 0 to the request then? Alex.
