[optimistic-upgrade] Recommend GET for future Upgrade Tokens #2827
Conversation
bemasc
force-pushed
the
bemasc-deprecate-http
branch
from
299b3ac
to
b45522e
Compare
bemasc
force-pushed
the
bemasc-prefer-get
branch
from
4d273da
to
bf69cf2
Compare
bemasc
force-pushed
the
bemasc-deprecate-http
branch
from
b45522e
to
d51a203
Compare
bemasc
force-pushed
the
bemasc-prefer-get
branch
from
bf69cf2
to
4c27424
Compare
|
I do not agree with this suggestion. Upgrade is intended to support a not-yet-defined future. Limits placed upon it must be evaluated in terms of what will be excluded from future use, not what is currently being used in practice. If you want to limit what can be sent in a body, do that instead. The entire premise of this document is that a client will send something incredibly stupid and uncontrolled in a request body while asking for an upgrade. Just forbid that and be done. In any case, Upgrade with GET, HEAD, and OPTIONS has no such issues. Upgrade should also be possible to use with QUERY with any compliant server. If you can find a server that fails to process a valid request body and then proceeds to treat it as a pipelined request, that is a vulnerability in their code. |
bemasc
force-pushed
the
bemasc-deprecate-http
branch
2 times, most recently
from
c3d4c21
to
aed69da
Compare
bemasc
force-pushed
the
bemasc-prefer-get
branch
from
4c27424
to
e8594c7
Compare
|
This PR originally assumed the deprecation of "TLS" in #2818. I've removed that deprecation there, so other HTTP methods are necessarily allowed. Due to that change, I've rewritten the recommendation here, removed the PR stacking, and removed the "draft PR" flag. |
bemasc
force-pushed
the
bemasc-prefer-get
branch
from
ac690a6
to
b84109e
Compare
bemasc
force-pushed
the
bemasc-prefer-get
branch
from
b84109e
to
491bc82
Compare
Fixes #2738