On Thu, 10 Apr 2025 11:37:23 GMT, Daniel Jeliński <djelin...@openjdk.org> wrote:
> RFC 9113 HTTP/2 mandates certain validation for HTTP headers; the HttpClient > don't fully implement the described requirements. > > This PR adds the following validation: > - pseudo-headers defined for requests are rejected in responses and push > streams > - pseudo-headers defined for responses are rejected in push promises > - connection headers are rejected in responses and push streams > > Connection headers are still accepted in push promises; that's because some > popular server implementations were found to echo the request headers in push > promises, and when the original request was a HTTP/1 upgrade, the push > promise could contain one or more headers that were prohibited in HTTP/2 but > allowed in HTTP/1. > > An existing test was adapted to verify the handling of response headers. The > modified test passes with this the changes in this PR, fails without them. > Other tier1-3 tests continue to pass. This pull request has now been integrated. Changeset: c94a7ae1 Author: Daniel Jeliński <djelin...@openjdk.org> URL: https://git.openjdk.org/jdk/commit/c94a7ae11e588250cd0eb064c3280afd580530ea Stats: 266 lines in 6 files changed: 245 ins; 2 del; 19 mod 8354276: Strict HTTP header validation Reviewed-by: dfuchs, jpai ------------- PR: https://git.openjdk.org/jdk/pull/24569
