-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shouldn't pre-computed HTTP headers trigger "Stripped" classification? #8205
Comments
After a quick search, other similar findings - some clearly breaking the requirements: IMHO a simple way to validate the HTTP implementation could be to emit a simple
or a simple This test should be run on all endpoints which are marked as From a wild guess of the source code I have seen, quite a few frameworks would then appear as Stripped and should be fixed/implemented in order to be part of the official ranking. |
just want to point out actix marks the bench you linked as stripped already. they really should just remove the code entirely but I was told it's there for future optimization despite I have seen zero effort they put in it for years. but still. |
The benchmark with the time is bigger, and we need to help. We can hep in the verify stage, to add more small details to have a fair play. And others we can't verify, like the |
Related partially to this: #7984 but on request parsing side: if parsing won't happen, no http headers are materialized/evaluated to drive HTTP server logic as well |
Another framework with pre-computed headers for /plaintext - which won't respond to basic "Connection: close" request so should be marked as "stripped":
|
You are right, this is the same issue. |
@synopse as explained in another comment, Vertx doesn't precompute headers, but just the ASCII string objects (which will still be encoded as usual) in the case-insensitive format, with case insensitive hash code compute once: it's not related the encoding of headers, which will happen, but a way to reduce the cost while putting them in the case-insensitive header map which will be encoded later and it's strongly suggested to happen in production too. |
Reading general requirement number 2 :
and for instance requirement iv of the plain text requirement :
Some frameworks do not compute the HTTP headers at all, but return a fixed value, including
HTTP/1.1 200 OK
and theContent-Length:
integer value, just appending the current date to this hardcoded buffer. This is not a realistic HTTP implementation to my (common) sense. There is no point of allowing to pre-compute the headers but disallowing to pre-compute the response body - the former clearly depending on the later content.Such patterns appear for instance in this plaintext or this json implementations. My guess is that such implementations should be marked as
Stripped
, or fixed to use a HTTP headers generation library, as any realistic production-grade framework would do.The main issue with such fixed headers is that the server is not compatible with HTTP/1.0 requests or
Connection: Close
headers, which are part of the HTTP protocol, and should be properly implemented on the server side.Perhaps there are other implementations with the same dubious pattern.
The text was updated successfully, but these errors were encountered: