On Thu, 10 Apr 2025 12:45:40 GMT, Volkan Yazici <[email protected]> wrote:
>> RFC 9113 HTTP/2 mandates certain validation for HTTP headers; the HttpClient
>> don't fully implement the described requirements.
>>
>> This PR adds the following validation:
>> - pseudo-headers defined for requests are rejected in responses and push
>> streams
>> - pseudo-headers defined for responses are rejected in push promises
>> - connection headers are rejected in responses and push streams
>>
>> Connection headers are still accepted in push promises; that's because some
>> popular server implementations were found to echo the request headers in
>> push promises, and when the original request was a HTTP/1 upgrade, the push
>> promise could contain one or more headers that were prohibited in HTTP/2 but
>> allowed in HTTP/1.
>>
>> An existing test was adapted to verify the handling of response headers. The
>> modified test passes with this the changes in this PR, fails without them.
>> Other tier1-3 tests continue to pass.
>
> test/jdk/java/net/httpclient/http2/BadHeadersTest.java line 83:
>
>> 81: of(entry(":status", "200"), entry("hello", "DE" + ((char) 0x7F)
>> + "L")), // Bad byte in value
>> 82: of(entry(":status", "200"), entry("connection", "close")),
>> // Prohibited connection-specific header
>> 83: of(entry(":status", "200"), entry(":scheme", "https")),
>> // Request pseudo-header in response
>
> Shouldn't we instead exhaustively test against all hard-coded header
> collection in `ValidatingHeadersConsumer`, i.e., `PSEUDO_HEADERS` and
> `PROHIBITED_HEADERS`?
We could. I don't think it adds much value though.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24569#discussion_r2037385857
