fre 2014-07-25 klockan 19:05 +0300 skrev Eliezer Croitoru: > The response to alex question why would anybody want to drop > "cteonnt-length:" header: > Some places do not allow cookies or POST for external services and it's > sometimes can looks weird but I still understand why would it be > considered a security hole by some minds.
Dropping mangled connection-length header is not about security. It's no more than a garbage header carrying no meaning other than an distant echo of it's original form. It is transformed in this manner to avoid being read as connection-length while doing a minimal lightweight rewrite of the TCP/IP payload. Bandwidth saving from dropping this header will be close to unmeasurable. Security impact likewise. But sure, if you have a whitelist policy of only allowing what is explicitly allowed then it would be dropped by the catch-all DROP policy. But no hardwiring in our code is needed for that. The discussion about mangled Connection header may be more interesting, but only if there is bugs in the software that mangled the Connection header leaving what was intended as hop-by-hop headers unmangled. But I don't see much of a point of worrying about that until there is indication that there is problems caused by such headers. >From the referenced discussion it's quite clear this rewrite practice is limited to one cache appliance vendor. It is not likely to be implemented by others. Regards Henrik