RFC 9113 HTTP/2 mandates certain validation for HTTP headers; the HttpClient doesn't fully implement the described requirements.
Section 8.3 states that:
Pseudo-header fields defined for requests MUST NOT appear in responses; pseudo-header fields defined for responses MUST NOT appear in requests. Pseudo-header fields MUST NOT appear in a trailer section. Endpoints MUST treat a request or response that contains undefined or invalid pseudo-header fields as malformed
This is currently not enforced. It is possible to send request pseudo headers in response, and vice versa. Trailer handling is currently unimplemented.
Section 8.2.2 states that:
An endpoint MUST NOT generate an HTTP/2 message containing connection-specific header fields. This includes the Connection header field and those listed as having connection-specific semantics in Section 7.6.1 of [HTTP] (that is, Proxy-Connection, Keep-Alive, Transfer-Encoding, and Upgrade). Any message containing connection-specific header fields MUST be treated as malformed
This is currently not enforced. The presence of these headers is ignored.
Section 8.3 states that:
Pseudo-header fields defined for requests MUST NOT appear in responses; pseudo-header fields defined for responses MUST NOT appear in requests. Pseudo-header fields MUST NOT appear in a trailer section. Endpoints MUST treat a request or response that contains undefined or invalid pseudo-header fields as malformed
This is currently not enforced. It is possible to send request pseudo headers in response, and vice versa. Trailer handling is currently unimplemented.
Section 8.2.2 states that:
An endpoint MUST NOT generate an HTTP/2 message containing connection-specific header fields. This includes the Connection header field and those listed as having connection-specific semantics in Section 7.6.1 of [HTTP] (that is, Proxy-Connection, Keep-Alive, Transfer-Encoding, and Upgrade). Any message containing connection-specific header fields MUST be treated as malformed
This is currently not enforced. The presence of these headers is ignored.
- csr for
-
JDK-8354299 Strict HTTP header validation
-
- Finalized
-
- links to
-
Review(master)
openjdk/jdk/24569