I noticed that if HAProxy receives a message containing \x01 in a field value, it will happily forward that message. This appears to be permitted by RFC9113 and RFC9114. However, it might cause a problem if the message is a response, the response is sent to the client over HTTP/3, and the client uses nghttp3. nghttp3 will silently discard the field, causing HAProxy and the client to disagree on whether the field exists.
Is this a serious concern, or is it considered too theoretical to matter? From my reading of https://github.com/ngtcp2/nghttp3/discussions/346, it seems that the nghttp3 maintainer considers this to be working as intended (a valid decision). Is there anything that should be be done on the HAProxy side, or is HAProxy thinking that a header exists when a client thinks it does not expected behavior? -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
