fishy commented on PR #2963: URL: https://github.com/apache/thrift/pull/2963#issuecomment-2075935871
> > THeaderProtocol already supports the auto detection of: [...] framed or not > > * Assumed, I absolutely want to force the use of framed transport for some reasons, I would have to derive an own variant and handle that myself? Otherwise bad counterparts could by crafting a suitable THeader force me into unframed mode which I don't want. Correct? Intended? The "auto detection" part in THeader spec is more for auto "backward" compatibility with non-THeader clients. e.g. if a client talking to THeader server does not use THeader at all, it still works if it uses one of TBinary or TCompact protocol, and with or without TFramedTransport. but if a client actually uses THeader frame is enforced (it cannot write/read any header without frame) > * Same with HMAC. I can intercept a message, strip the HMAC stuff and then deliver some "improved" version of the message instead. Correct? Intended? if we have a MITM to rewrite the message then yes HMAC can be stripped. I get your point, this proposal does add additional enforcement not possible with THeader alone. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@thrift.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
