-
Notifications
You must be signed in to change notification settings - Fork 17.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: client/transport should be more defensive against servers which write a body in response to HEAD requests #68653
Comments
CC @neild |
What do you think the client should do that it is not doing now? If the server sends a body in response to a HEAD request, then:
There's no way for the client to ensure that a server hasn't improperly sent a body in response to a HEAD request: You can't prove a negative. We could be a bit more aggressive in checking for data in a conn's read buffer, but if the server has sent response headers and body in separate packets, that isn't going to be very reliable--we'll still hit the same error paths we do today when we process headers and haven't yet received the body. Perhaps our error logging could be clearer. But it isn't clear to me what "more defensive" would be, specifically, or in what way the client is currently "getting tripped up on" misbehaving servers. |
Thanks for following up @neild. Following from what @terinjokes said, does it make sense to close connections after a HEAD request? Maybe I'm reading it wrong, but this RFC suggests that it may be advisable.
https://httpwg.org/specs/rfc9110.html#HEAD What are your thoughts? |
Go version
go version go1.22.5 linux/amd64
Output of
go env
in your module/workspace:What did you do?
The Go HTTP client/transport may reuse connections which have been used for a HEAD request. If the server wrote a body to the response, the Go HTTP client/transport may use that body as if it were the start of a new request.
Ref: #68609
What did you see happen?
What did you expect to see?
The Go HTTP client/transport should be more defensive and not get tripped up on servers misbehaving like this. It's not uncommon for this to happen, as noted in #68609 (comment). It's quite problematic as there are lots of reverse proxies which rely on the net/http transport (cloudflared, caddy, etc).
The text was updated successfully, but these errors were encountered: