On Wed, 17 Dec 2025 10:01:20 GMT, Daniel Jeliński <[email protected]> wrote:
>> We only need the check for clear connections. Why would you keep it with >> https? > > Because any input that starts with a character below 32 may not be a HTTP > request, so we might as well reject such bytes over TLS too. > > Ideally we'd have a state machine that would reject any request as soon as we > receive a byte that is not valid in a HTTP request, but what you have is a > good improvement already. Right. We could do that as future improvement. Let's focus this change on TLS clients connecting to non-TLS server. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/28827#discussion_r2626441679
