Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider closing the connection on Upgrade failure #2739

Open
bemasc opened this issue Feb 15, 2024 · 0 comments
Open

Consider closing the connection on Upgrade failure #2739

bemasc opened this issue Feb 15, 2024 · 0 comments
Labels
optimistic-upgrade draft-ietf-httpbis-optimistic-upgrade

Comments

@bemasc
Copy link
Contributor

bemasc commented Feb 15, 2024

@martinthomson writes

The server treating Upgrade as implying Connection: close might be a good start, counter to what Section 4 currently says. We should not be recommending mitigations that only one affected party can deploy.

In other words, we would instruct servers to close the connection after responding, without reading any more requests, when they reject an Upgrade.

This behavior would be compatible and compliant, and would foreclose the security issue in question. However, it would have a notable performance cost when returning a response that will trigger a retry (e.g. 307, 401, 407).
@bemasc bemasc added the optimistic-upgrade draft-ietf-httpbis-optimistic-upgrade label Feb 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
optimistic-upgrade draft-ietf-httpbis-optimistic-upgrade
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bemasc