Coder Social home page Coder Social logo

Comments (3)

markt-asf avatar markt-asf commented on August 12, 2024 1

Given the lack of further response combined with the current behaviour being aligned with the RFCs, I am closing this one.

from servlet.

markt-asf avatar markt-asf commented on August 12, 2024

TL;DR For Servlet <= 6.0, this is an Open Liberty bug that needs to be fixed, not a TCK bug. There is an option to change the Servlet specifcation for Servlet >= 6.1

The Servlet specification, correctly, makes no statement regarding the timing of sending data for the upgraded connection with respect to the HTTP 101 response.

It is RFC compliant to send data for an upgraded connection prior to receiving the HTTP 101 response. Quoting RFC 9110

A client cannot begin using an upgraded protocol on the connection until it has completely sent the request message (i.e., the client can't change the protocol it is sending in the middle of a message).

Nothing in the current RFCs require the client to wait for the upgrade to be confirmed before using the protocol.

A number of RFCs for upgraded protocols do require the client to wait for the upgrade to be confirmed but those are protocol specific requirements, not generic upgrade requirements.

There is a general concern that optimistic upgrade (sending data using the upgraded protocol before the server has confirmed the upgrade) is problematic and there is an RFC in draft that would explicitly require all future upgrade protocols to protect against the security risks associated with optimistic upgrade. However, that RFC does not modify the language in RFC 9110 and optimistic upgrade remains specification compliant.

The TCK test could be improved to send the upgrade request and the data for the upgrade protocol at the same time which would result in a consistent TCK failure for Open Liberty and any similarly implemented servers.

We could modify the Servlet specification to reject any attempt at optimistic upgrade with a 400 response. I'm reluctant to do this as there are scenarios (which are the most likely use cases for a custom HttpUpgradeHandler) where optimistic upgrade is safe and it provides a performance improvement.

from servlet.

brideck avatar brideck commented on August 12, 2024

Thanks, Mark. I've passed this back to web dev for rebuttal/acquiescence.

from servlet.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.