On Sun, Aug 1, 2021, at 10:58, John Levine wrote: > Well, you know, ALPACA is the predictable result of three decades of > web browsers accepting any crud from > broken web servers and trying to guess what it was supposed to mean.
Curious, that's not how I read it. If you look, it's non-HTTP servers accepting 11-17 lines of HTTP garbage and still carrying on to produce a response that is technically valid HTTP. HTTP handling in browsers is pretty heavily regulated. While it is unfortunate that HTTP/0.9 compatibility is still necessary and that tends to lead to more tolerance of errors than is ideal, I don't attribute this error solely to browsers. > It'd be more effective to say that browsers > MUST send ALPNs and MUST NOT accept responses that don't send an > expected ALPN back. That is exactly what they do, which is also what RFC 7301 states. The problem is that some servers don't implement ALPN support. And those servers often can't as a result of there not being an ALPN defined for that protocol. > I made my mail servers a lot less useful for that particular hack by > adjusting them to drop the connection after > any bad command since real mail clients never send bad commands. Yeah, tolerance of bad inputs is an anti-feature for a networking protocol. _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
