As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact
Last Comment Bug 570283 - Stop sending Proxy-Connection
: Stop sending Proxy-Connection
: dev-doc-needed
Product: Core
Classification: Components
Component: Networking: HTTP (show other bugs)
: unspecified
: All All
: -- normal (vote)
: mozilla18
Assigned To: Patrick McManus [:mcmanus]
: Patrick McManus [:mcmanus]
Depends on: 828236
  Show dependency treegraph
Reported: 2010-06-04 20:55 PDT by Mark Nottingham
Modified: 2013-01-10 11:23 PST (History)
9 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

patch 0 (7.18 KB, patch)
2012-09-04 10:17 PDT, Patrick McManus [:mcmanus]
jduell.mcbugs: review+
Details | Diff | Splinter Review

Description User image Mark Nottingham 2010-06-04 20:55:30 PDT
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-au) AppleWebKit/531.22.7 (KHTML, like Gecko) Version/4.0.5 Safari/531.22.7
Build Identifier: 

Mozilla should stop sending the Proxy-Connection header when a HTTP proxy is configured.

This header is non-standard, doesn't work well (because proxies will forward it), and isn't implemented by modern proxies.

Furthermore, removing it will have the worst effect of not negotiating persistent connections with very old proxies; it will not cause interoperability issues.

Reproducible: Always
Comment 1 User image Mark Nottingham 2010-07-01 13:08:31 PDT
A bit more.

The worst case scenario here is if a HTTP/1.0 proxy that:
 - does not understand persistent connections to servers (i.e., only close delimitation), AND
 - doesn't understand and therefore forwards Connection

will hang and wait for close, because it unknowingly sends Connection: keep-alive to a HTTP/1.0 server.

However, I note that Safari already sends

  Connection: keep-alive
  Proxy-Connection: keep-alive

in their requests when a proxy is configured, so it appears that this very unlikely configuration isn't seen in practice today.
Comment 2 User image error 2011-01-03 21:08:05 PST
Tracing a connection with Firebug does not show the presence of Proxy-Connection in the request headers being sent from my copy of Firefox 3.6.13 when it's set to use a proxy server. Nor is the header seen in Wireshark, which I think is pretty conclusive. If Firefox is sending this header in any circumstances, they aren't normal circumstances that I've been able to reproduce.
Comment 3 User image Boris Zbarsky [:bz] (still a bit busy) 2011-01-03 22:04:43 PST
Quite odd.  nsHttpHandler::AddStandardRequestHeaders clearly adds a Proxy-Connection header (with comments as to why it's doing it, note), when useProxy is true.
Comment 4 User image Boris Zbarsky [:bz] (still a bit busy) 2011-01-03 22:05:06 PST
And note that so does nsHttpConnection::SetupSSLProxyConnect.
Comment 5 User image mnot 2011-01-25 17:27:05 PST
What proxy were you connecting to? Specifically, is it HTTP/1.0 or 1.1?
Comment 6 User image Patrick McManus [:mcmanus] 2012-09-04 10:17:18 PDT
Created attachment 658140 [details] [diff] [review]
patch 0

mark is right.
Comment 7 User image Patrick McManus [:mcmanus] 2012-09-05 05:40:39 PDT
Comment 8 User image Ryan VanderMeulen [:RyanVM] 2012-09-05 19:41:49 PDT
Comment 9 User image Patrick McManus [:mcmanus] 2013-01-10 11:23:19 PST
in bug 828236 we've got a case of failed NTLM auth on a CONNECT method against a squid/2.6.STABLE9.. there are other reports of 2.7 failure too.

this would probably be a problem with end host NTLM too when using the proxy, but that's going to be pretty rare.

the "worst case" of losing the persistent connection breaks the damn stateful ntlm.

Note You need to log in before you can comment on or make changes to this bug.