-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
setRequestHeaderSize and setResponseHeaderSize apply to all headers, not one #6204
Comments
It's a buffer configuration, it controls the buffer used for the header section of the HTTP protocol. Per RFC7230 (HTTP/1.1 spec), you have ...
Those configurations control the buffer used in section 2 above. |
Right that's true - it's currently meant to be interpreted as the "protocol header". However that usage of just "header" conflicts with the usage of "http header" as most people understand it - even in the same file: Even in RFC7230 you have the distinction:
|
That's actually a "Field". Also, I would caution relying on MDN, as its information is not up to date and frequently stagnates. As for the naming in use by Jetty, think of it this way ...
I know it's nuanced, but lots of things in HTTP/1.x are nuanced like that. Take this from the HTTP/1.1 spec: Section 3 (yes, I know you copy/pasted this section too, I just decided to link it and include the section header so others in the future that come across this issue can read it for themselves) ...
The use of "headers" (plural) is actually not used much within the HTTP/1.1 spec itself. (There's 5 hits, 1 is the use in section above, 3 are shorthand references to "message headers" IANA registry called "Permanent Message Header Field Names", and the last hit is in the index at the bottom to reference above). For the purposes of the HttpConfiguration ... Changing this to be "headers" plural is actually limiting the scope of the buffer configuration (as that name would exclude the start-line/response-line, which is part of this buffer configuration) I feel we are consistent to both of the HTTP specs, their chosen naming, and the true scope of that configuration within Jetty. |
The correct description is definitely "headers size" or something to that effect. |
My sense is the intersection of the sets {websites that users of Jetty visit} and {websites that refer to the HTTP header in the protocol sense} is low. Though I'm happy to be proven otherwise - I thought MDN was fairly authoritative in terms of "enough people look at this" but of course it's not by any means authoritative in terms of current standard tracks. I doubt most users of Jetty read the HTTP spec though - that's why they use Jetty 😄. @gregw that seems reasonable - anything that communicates "this is not the same as what Apache/Nginx/etc use to limit line length." Where would be a better place for this documentation? My first thought was Javadoc because that's how I got to the comment. Jetty suddenly started returning 5xxs from my requests and I just followed the code to how Jetty is configured. Happy to send PRs to update all the places. |
I think we should just improve the javadoc to say it is a buffer size for all the header fields. |
This issue has been automatically marked as stale because it has been a |
This issue has been automatically marked as stale because it has been a |
This issue has been automatically marked as stale because it has been a |
This issue has been closed due to it having no activity. |
Jetty version Jetty 9.4.31
Java version 14.0.2
OS type/version Mac OS
Description
This is either a bug with the documentation or the implementation. Theses are the comments in
HTTPConfiguration.java
: https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/jetty-server/src/main/java/org/eclipse/jetty/server/HttpConfiguration.java#L401-L422 .The documentation says that these control "the maximum size in bytes of the ... header." MDN defines a header as ONE key-value pair - i.e. just one
Header: Value
.Unfortunately in Jetty, these configuration options actually control the size of the HTTP Header "Area" (not sure what to call it). Setting either of these controls the total length of ALL the (request/response) headers, not just the maximum of one header. I'm not sure if that's intentional, but if it is, it would be great to improve the documentation to say that it's the total header length, not a single header length.
The text was updated successfully, but these errors were encountered: