On Thu, 10 Apr 2025 11:37:23 GMT, Daniel Jeliński <djelin...@openjdk.org> wrote:
> RFC 9113 HTTP/2 mandates certain validation for HTTP headers; the HttpClient > don't fully implement the described requirements. > > This PR adds the following validation: > - pseudo-headers defined for requests are rejected in responses and push > streams > - pseudo-headers defined for responses are rejected in push promises > - connection headers are rejected in responses and push streams > > Connection headers are still accepted in push promises; that's because some > popular server implementations were found to echo the request headers in push > promises, and when the original request was a HTTP/1 upgrade, the push > promise could contain one or more headers that were prohibited in HTTP/2 but > allowed in HTTP/1. > > An existing test was adapted to verify the handling of response headers. The > modified test passes with this the changes in this PR, fails without them. > Other tier1-3 tests continue to pass. > @dfuch has indicated that a [compatibility and > specification](https://wiki.openjdk.org/display/csr/Main) (CSR) request is > needed for this pull request. There will be an observable change of behaviour for clients if for instance, a response contains a `connection: close` header added by custom code on the server side. ------------- PR Comment: https://git.openjdk.org/jdk/pull/24569#issuecomment-2792717783
