Kestrel should disallow trailers cited in rfc7230 section 4.1.2

[mgravell]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

Origin: https://stackoverflow.com/q/76780323/23354

Cross-reference relevant http.sys code: https://github.com/dotnet/aspnetcore/blob/main/src/Shared/HttpSys/RequestProcessing/HeaderCollection.cs#L21

Currently it appears that Kestrel can be coerced into adding H2 trailers that violate RFC 7230 section 4.1.2, which states:

A sender MUST NOT generate a trailer that contains a field necessary
for message framing (e.g., Transfer-Encoding and Content-Length),
routing (e.g., Host), request modifiers (e.g., controls and
conditionals in Section 5 of [RFC7231]), authentication (e.g., see
[RFC7235] and [RFC6265]),
response control data (e.g., see Section
7.1 of [RFC7231]), or determining how to process the payload (e.g.,
Content-Encoding, Content-Type, Content-Range, and Trailer).

This may or may not be limited to gRPC scenarios.

Expected Behavior

An exception should be generated, to be consistent with the IIS/http.sys implementation

Steps To Reproduce

From linked gRPC question (may also be possible without gRPC, to be investigated):

public override async Task<ProduceBadTrailerReply> ProduceBadTrailer(ProduceBadTrailerRequest request)
{
    var status = new Status(StatusCode.Unauthenticated, "throwing on purpose");
    var trailers = new Metadata() { new Metadata.Entry("www-authenticate", "auth failed on purpose") };
    await Task.CompletedTask;
    throw new RpcException(status, trailers);
}

Exceptions (if any)

No response

.NET Version

No response

Anything else?

No response

[Tratcher]

https://github.com/dotnet/aspnetcore/blob/main/src/Servers/Kestrel/Core/src/Internal/Http/HttpResponseTrailers.cs

Check HttpSys and IIS as well.

[mgravell]

@Tratcher is that a "here's where trailers are implemented in Kestrel" comment? or is that comment something more nuanced?

[Tratcher]

Here's a place to start looking.