On 03/02/2021 15:50, Rémy Maucherat wrote: > On Wed, Feb 3, 2021 at 1:03 PM Mark Thomas <ma...@apache.org> wrote:
<snip/> >> I'm still considering what might be the best way to fix this. Hence the >> brain dump above. Thoughts? > > There has been some debate about this before, and you did add quite a bit > of code to catch things that would break the protocol. So it seems this > would go above and beyond, and attempt to catch *anything* that could make > a response non compliant with the underlying protocol ? The stuff I added before was mostly on the input side to protect against non-compliant user agents. The changes I am thinking about here are more geared towards preventing apps from setting response headers they shouldn't. How far to go is the question: a) a few we know are definitely wrong (like TE: chunked) ? b) any we think Tomcat should / needs to control ? c) make it fully customisable ? d) something else? Maybe I need to make a list of the headers I think fall under a) and b) and see if that helps clarify things. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org