Missing Content-Type Header with Request Body #266
Comments
This is only documentation bug. Update proposal:
|
The 2616 reference is obsolete. |
@mnot interesting - this seems like a weird design choice - particularly since right below where it says servers may "examine the data to determine its type", there is an entire paragraph about why this is bad. Any idea of how often popular browsers will fail to send the content-type? I'd think it is rare - rare enough that I wouldn't want my webserver guessing probably. @dune73 seems to have the right approach from our end, although not to spec i don't suspect that this is very common behavior (or encouraged). We should update the documentation for RC2, good find @mnot |
I do not remember an alert in connection with this rule. So I am quite sure the said behaviour is rare. |
It certainly will be rare, but not all clients are browsers. I agree it's just a doc bug. |
@mnot we appreciate the issue and the expertise :). Please feel free to keep us informed of changes you see that affect us or issues you spot. We'll merge this in for CRS 3 rc2 |
There is a clear reason why the rule is there. But if we decide to be stricter than the RFC, then we need to get the facts right. So reporting this is most welcome. It's just that we have not worked through all the old issues from the time before we took over the project. But we continue to work on it. |
Being closed in favor of the PR #586 |
In base_rules/modsecurity_crs_21_protocol_anomalies.conf:
RFC7231 says no such thing; the applicable text is:
http://httpwg.github.io/specs/rfc7231.html#header.content-type
The text was updated successfully, but these errors were encountered: