Closed Bug 632524 Opened 13 years ago Closed 13 years ago

End support for HTTP/0.9

Categories

(Core :: Networking: HTTP, enhancement)

Product:
Core
Component:
Networking: HTTP
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: yuhongbao_386, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Build Identifier: 

HTTP/0.9 is very obsolete by now, and one of the biggest flaws is that there is no header, making "cross-protocol" XSS attacks possible. Current browsers tries to block common ports used in attacks like SMTP and POP3, but a simple way to fix the problem would be requiring the response to start with "HTTP/", thus ending HTTP/0.9 support.

Reproducible: Always
> HTTP/0.9 is very obsolete by now

Meaning what?

Servers send it all the time.  I suggest you look at just the bugs we had in the last few months when we slightly tweaked our HTTP 0.9 handling.

I suspect there's no way we can make this change without badly breaking web compat.
But what I am proposing is very simple. Require the response start with "HTTP/".
And what I'm saying is that lots of responses servers send right now do NOT start with that string.
Is HTTP/0.9 commonly used for responses to form submissions? Because these are the most risky.
Based on bug 628832 and bug 632061 I would expect yes (e.g. the Sitecom router in question seems to use it for all its responses).
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
5 years later, time to revisit this issue, given https://groups.google.com/a/chromium.org/forum/#!topic/net-dev/NA3c8OZi4pU

HTTP/0.9 needs to go away.
Yes, I can reopen the bug if you want me to.
(In reply to Yuhong Bao from comment #7)
> Yes, I can reopen the bug if you want me to.

not at this time. thanks.
(In reply to Patrick McManus [:mcmanus] from comment #8)
> (In reply to Yuhong Bao from comment #7)
> > Yes, I can reopen the bug if you want me to.
> 
> not at this time. thanks.

Can we get some information when HTTP/0.9 will be removed? The exploit is in the wild and Firefox is currently vulnerable.
Fully disabling HTTP/0.9 is not possible at this time for compatibility reasons. See bug 1262128 for a potential mitigation strategy (restrict use to reserved HTTP ports).
You need to log in before you can comment on or make changes to this bug.