The "message/http" content-type is typically only seen in the response body content to a TRACE method (which is unsupported by Jetty for security reasons).
eg: TRACE http://www.company.com/ HTTP/1.1 Host: www.company.com Connection: Close (blank line) HTTP/1.1 200 OK Transfer-Encoding: chunked Date: Wed, 15 Feb 2017 09:44:21 GMT Content-Type: message/http Connection: close Server: ImpressiveServer/1.2.3.4 (Unix) Connection: close Via: 1.1 bogusproxy 9d TRACE / HTTP/1.1 Connection: keep-alive Host: www.company.com Via: 1.1 bogusproxy X-Foo: Value1, Value2, Value3 X-Forwarded-For: 111.69.185.59, 111.69.5.234 0 It was removed from the spec specifically because it causes security issues. (header injection) Note: Internet Explorer, Chrome, Firefox, and most proxies do not support header folding anymore. What are you trying to do is going to be increasingly more difficult as time goes on (not only will Jetty reject it, but so must http proxies and the like) The spec is pretty clear https://tools.ietf.org/html/rfc7230#section-3.2.4 Historically, HTTP header field values could be extended over multiple lines by preceding each extra line with at least one space or horizontal tab (obs-fold). This specification deprecates such line folding except within the message/http media type (Section 8.3.1 <https://tools.ietf.org/html/rfc7230#section-8.3.1>). A sender MUST NOT generate a message that includes line folding (i.e., that has any field-value that contains a match to the obs-fold rule) unless the message is intended for packaging within the message/http media type. Your clients MUST NOT send folded http headers. It is highly unlikely that Jetty will reintroduce header folding. You'll have to make a very good (security minded) case for it. Joakim Erdfelt / [email protected] On Wed, Feb 15, 2017 at 10:13 AM, Lothar Kimmeringer <[email protected]> wrote: > Hi, > > I switched from 9.2 to 9.3 and two dozens of testcases now fail due > to the fact that they create HTTP-requests containing folded HTTP- > request-headers. I'm aware of Bug 444222 where it's mentioned that > Jetty 9.3 will follow RFC 7230 more strictly so I know why I now > get HTTP 400 responses. > > The RFC allows to ways of reacting to folded HTTP-headers: > > | A server that receives an obs-fold in a request message that is not > | within a message/http container MUST either reject the message by > | sending a 400 (Bad Request), preferably with a representation > | explaining that obsolete line folding is unacceptable, or replace > | each received obs-fold with one or more SP octets prior to > | interpreting the field value or forwarding the message downstream. > > Since we use Jetty as HTTP-server for AS2, WebService- and RESTful- > Service data exchanges on a couple thousand distinct installations > where we have absolutely no control over the other side sending in > these requests, the default-behavior will definetly break production > EDI setups. So I'm forced to use option 2 of the RFC. > > How can I set up Jetty to replace line-breaks to spaces in order > to keep existing data exchanges running with the new version? > > > Thanks and best regards, > > Lothar Kimmeringer > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
