> Am 05.10.2022 um 18:48 schrieb Eric Covener <cove...@gmail.com>:
>
> On Wed, Oct 5, 2022 at 12:44 PM Roy T. Fielding <field...@gbiv.com> wrote:
>>
>>> On Sep 26, 2022, at 5:29 AM, ic...@apache.org wrote:
>>>
>>> Author: icing
>>> Date: Mon Sep 26 12:29:47 2022
>>> New Revision: 1904269
>>>
>>> URL: http://svn.apache.org/viewvc?rev=1904269&view=rev
>>> Log:
>>> *) mod_http2: new directive "H2HeaderStrictness" to control the compliance
>>> level of header checks as defined in the HTTP/2 RFCs. Default is 7540.
>>> 9113 activates the checks for forbidden leading/trailing whitespace in
>>> field values (available from nghttp2 v1.50.0 on).
>>
>> I am not seeing why that should be optional. It adds overhead, but it reduces
>> variability (for HPACK) and might prevent some downstream vulnerabilities,
>> IIRC.
>> Maybe an internal switch for testing with default on?
>
> +1 for opt-out.
People downgraded nghttp2 v1.49 where this was on by default because of various
interop problems.
I am all for strictness, but this improvement in the rfc seems to have thorns
for users.
- Stefan
