duande9301
2018-10-26 05:23
浏览 180
已采纳

RFC 2616 HTTP内容长度和传输编码兼容性

RFC 2616 states that the Content-Length header must not be sent if a Transfer-Encoding is present.

The Content-Length header field MUST NOT be sent if these two lengths are different (i.e., if a Transfer-Encoding header field is present).

However, if both headers are received, the client should ignore the Content-Length

If a message is received with both a Transfer-Encoding header field and a Content-Length header field, the latter MUST be ignored.

Is my interpretation correct that the client should treat the case where both headers are present as a proper HTTP response? Or is this clause implementation specific?

I'm asking because the Go standard net/http package returns an error when such scenario happens.

图片转代码服务由CSDN问答提供 功能建议

RFC 2616 指出,如果存在 Transfer-Encoding ,则不得发送 Content-Length 标头。 \ n

如果这两个长度不同(例如,如果存在Transfer-Encoding头字段),则不得发送Content-Length头字段。 \ n

但是,如果同时接收到两个标头,则客户端应忽略 Content-Length

如果收到消息 同时具有Transfer-Encoding标头字段和Content-Length标头字段,必须忽略后者。

我的解释是否正确,即客户应处理这种情况 两个标头都作为正确的HTTP响应出现在哪里?

我问这是因为Go标准的 net / http 包在发生这种情况时会返回错误。 \ n

  • 写回答
  • 好问题 提建议
  • 追加酬金
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • dsh7623 2018-10-26 05:38
    已采纳

    The standard does not really specify what should happen in this case, only that if the message is accepted at all then the Content-length should be ignored. To cite from RFC 7230:

    If a message is received with both a Transfer-Encoding and a Content-Length header field, the Transfer-Encoding overrides the Content-Length. Such a message might indicate an attempt to perform request smuggling (Section 9.5) or response splitting (Section 9.4) and ought to be handled as an error.

    Note the weak "ought to" here which is far from MUST. But at least net/http is fully correct in that this kind of response is wrong and can be handled as error. But it is not required to be treated as error.

    In practice all browsers seem to accept such a response and usually ignore the Content-length header. But I've seen als a behavior with MS Edge in the past where it correctly treated the response body as chunked but additionally used Content-length and ignored any bytes from the response body not covered by the Content-length.

    评论
    解决 无用
    打赏 举报

相关推荐 更多相似问题