https://bz.apache.org/bugzilla/show_bug.cgi?id=63932
--- Comment #17 from Konstantin Kolinko <knst.koli...@gmail.com> --- (In reply to Michael Osipov from comment #16) > (In reply to Mark Thomas from comment #15) > > > Of all the ideas, disabling compression in the presence of a strong ETag > > seems like the best solution to me. An open question is do we make this > > configurable or do we just do it? If configurable, I'd argue for enabled by > > default. > > I would just do it because anything else would break the RFC for that and > this is certainly something we don't want to do. 1. I agree (+1) for it to be enabled by default. 2. I think that it would be better to have it configurable (aka flag), deprecate and remove the option in some later version (Tomcat 10). We can go without an option as the risk is minimal (clients should be able to deal with non-compressed responses), but someone might care. 3. I think that this feature has to be documented. My thought was to add a section to "Special Features" in the doc, as it outgrows what we usually put into an attributes table. [1] (In reply to Michael Osipov from comment #13) > (In reply to Konstantin Kolinko from comment #11) > > (In reply to Michael Osipov from comment #8) > > > > > > I get the feeling that compression configuration must be moved sooner or > > > later to a subelement <Compression> beneath a connector. > > > > Enabling compression globally like that may make one vulnerable to BREACH > > exploit. Maybe controlling this feature from within a web application is a > > way to go. (E.g. like sendfile feature can be used by DefaultServlet). > > I don't understand this?! Transparent compression is already on the > Connector? All I am saying is to move those three attributes into a > subelement. I think that blindly enabling compression for the whole site (without knowing anything about deployed web applications) may make one vulnerable to BREACH. Whether this configuration is actually exploitable depends on what dynamic responses are generated by a web application. I think that serving static resources is safe. Thus I think that the feature of serving precompressed resources implemented by the DefaultServlet [2] is a better alternative to enabling this option on a Connector. [1] http://tomcat.apache.org/tomcat-9.0-doc/config/http.html [2] http://tomcat.apache.org/tomcat-9.0-doc/default-servlet.html#change -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
