Yeah, this isn’t really a problem w/ HTTP/1.1, it’s a problem with servers being loose w/ the spec. The example they gave was having a fixed content length and chunked encoding in the same request, which is nonsensical and should be rejected. The spec doesn’t mention what happens if you have both, but it does distinguish between having one or the other, so it makes sense to reject the request if there’s confusion.
That said, the spec does indicate a priority here:
4.4 Message Length
The transfer-length of a message is the length of the message-body as it appears in the message; that is, after any transfer-codings have been applied. When a message-body is included with a message, the transfer-length of that body is determined by one of the following (in order of precedence):
1.Any response message which “MUST NOT” include a message-body (such as the 1xx, 204, and 304 responses and any response to a HEAD request) is always terminated by the first empty line after the header fields, regardless of the entity-header fields present in the message.
2.If a Transfer-Encoding header field (section 14.41) is present and has any value other than “identity”, then the transfer-length is defined by use of the “chunked” transfer-coding (section 3.6), unless the message is terminated by closing the connection.
3.If a Content-Length header field (section 14.13) is present, its decimal value in OCTETs represents both the entity-length and the transfer-length. The Content-Length header field MUST NOT be sent if these two lengths are different (i.e., if a Transfer-Encoding header field is present). If a message is received with both a Transfer-Encoding header field and a Content-Length header field, the latter MUST be ignored.
4.If the message uses the media type “multipart/byteranges”, and the transfer-length is not otherwise specified, then this self- elimiting media type defines the transfer-length. This media type UST NOT be used unless the sender knows that the recipient can arse it; the presence in a request of a Range header with ultiple byte- range specifiers from a 1.1 client implies that the lient can parse multipart/byteranges responses.
A range header might be forwarded by a 1.0 proxy that does not understand multipart/byteranges; in this case the server MUST delimit the message using methods defined in items 1,3 or 5 of this section.
- By the server closing the connection. (Closing the connection cannot be used to indicate the end of a request body, since that would leave no possibility for the server to send back a response.)
If all services followed the spec, there shouldn’t be an issue.
HTTP/2 is better, sure, but the real problem here isn’t HTTP 1.1, the problem is implementations, and there are surely issues in the HTTP/2 implementations we have on the market today…
I dont know how many people you have talked to that do web development, but Ive worked with at least a dozen developers and I’ve yet to speak with one who read the HTTP spec or any web standards for that matter. Maybe I’ve just worked with terrible people, that is entirely possible.
I read most of it when I started out, but most web devs honestly shouldn’t need to care, only devs who build web servers should care. This should be caught at the library layer, not the application.
Also, that website uses Cloudflare to “protect” itself, risking reliability for no good reason at all.
Am i missing something? It seems like they are only trying a DNS redirect. I am not a fan of those or of Cloudflare, but in the scheme of things that seems relatively benign. On Android that’s easily blocked by my firewall rules.
I’m no expert and would like to be educated on this.
Cloudflare does have its own history of outages.
Yes it does, what does that have to do with what I asked? I do appreciate your downvote when I asked a legitimate question.
I’m not exactly a fan of irregular downvotes, actually.
What I’m saying is: a website that relies on any Cloudflare service will have an outage when Cloudflare does. Cloudflare adds a single point of failure heee, and in my opinion that’s irresponsible.
I’m not exactly a fan of irregular downvotes, actually.
Yet you did it anyway. I didn’t downvote you, I only asked a question to learn more.
I still have not learned anything about this.
I agree with you about Cloudflare gatekeeping. I also use Tor or Orbot, so Cloudflare is a pain in the ass.
