Yeah, this isn’t really a problem w/ HTTP/1.1, it’s a problem with servers being loose w/ the spec. The example they gave was having a fixed content length and chunked encoding in the same request, which is nonsensical and should be rejected. The spec doesn’t mention what happens if you have both, but it does distinguish between having one or the other, so it makes sense to reject the request if there’s confusion.
The transfer-length of a message is the length of the message-body as
it appears in the message; that is, after any transfer-codings have
been applied. When a message-body is included with a message, the
transfer-length of that body is determined by one of the following
(in order of precedence):
1.Any response message which “MUST NOT” include a message-body (such
as the 1xx, 204, and 304 responses and any response to a HEAD
request) is always terminated by the first empty line after the
header fields, regardless of the entity-header fields present in
the message.
2.If a Transfer-Encoding header field (section 14.41) is present and
has any value other than “identity”, then the transfer-length is
defined by use of the “chunked” transfer-coding (section 3.6),
unless the message is terminated by closing the connection.
3.If a Content-Length header field (section 14.13) is present, its
decimal value in OCTETs represents both the entity-length and the
transfer-length. The Content-Length header field MUST NOT be sent
if these two lengths are different (i.e., if a Transfer-Encoding
header field is present). If a message is received with both a
Transfer-Encoding header field and a Content-Length header field,
the latter MUST be ignored.
4.If the message uses the media type “multipart/byteranges”, and the
transfer-length is not otherwise specified, then this self-
elimiting media type defines the transfer-length. This media type
UST NOT be used unless the sender knows that the recipient can arse
it; the presence in a request of a Range header with ultiple byte-
range specifiers from a 1.1 client implies that the lient can parse
multipart/byteranges responses.
A range header might be forwarded by a 1.0 proxy that does not
understand multipart/byteranges; in this case the server MUST
delimit the message using methods defined in items 1,3 or 5 of
this section.
By the server closing the connection. (Closing the connection
cannot be used to indicate the end of a request body, since that
would leave no possibility for the server to send back a response.)
If all services followed the spec, there shouldn’t be an issue.
HTTP/2 is better, sure, but the real problem here isn’t HTTP 1.1, the problem is implementations, and there are surely issues in the HTTP/2 implementations we have on the market today…
I dont know how many people you have talked to that do web development, but Ive worked with at least a dozen developers and I’ve yet to speak with one who read the HTTP spec or any web standards for that matter. Maybe I’ve just worked with terrible people, that is entirely possible.
I read most of it when I started out, but most web devs honestly shouldn’t need to care, only devs who build web servers should care. This should be caught at the library layer, not the application.
Yeah, this isn’t really a problem w/ HTTP/1.1, it’s a problem with servers being loose w/ the spec. The example they gave was having a fixed content length and chunked encoding in the same request, which is nonsensical and should be rejected. The spec doesn’t mention what happens if you have both, but it does distinguish between having one or the other, so it makes sense to reject the request if there’s confusion.
That said, the spec does indicate a priority here:
If all services followed the spec, there shouldn’t be an issue.
HTTP/2 is better, sure, but the real problem here isn’t HTTP 1.1, the problem is implementations, and there are surely issues in the HTTP/2 implementations we have on the market today…
I dont know how many people you have talked to that do web development, but Ive worked with at least a dozen developers and I’ve yet to speak with one who read the HTTP spec or any web standards for that matter. Maybe I’ve just worked with terrible people, that is entirely possible.
I read most of it when I started out, but most web devs honestly shouldn’t need to care, only devs who build web servers should care. This should be caught at the library layer, not the application.