Hi Thomas,
Yes, I just looked at RFC7231 (section 5.5.2) and while there are
security implications
of usage of the 'Referer' header, the HTTP client library does not have
the relevant context
to decide whether it should be set or not. My view is that this is the
responsibility of
the calling code. We will probably do a review of all of these
restricted headers and
then propose a change to this area.
Thanks,
Michael.
On 04/10/2018, 18:41, Thomas Lußnig wrote:
Hi,
i have an question about the new HttpClient from JDK11.
Is there any good reason that the Referer header is restricted?
Because i have scenarios where the customer server expect Referer
header in the Login sequence.
So is there any way how to set restricted headers?
Gruß Thomas
On 14.08.2018 15:59:51, Michael McMahon wrote:
Hi,
This is an important fix for 11 which addresses the problem where
HTTP/1.0
responses that do not include a content-length header are not handled
correctly.
http://cr.openjdk.java.net/~michaelm/8207966/webrev.2/index.html
Thanks,
Michael.
