User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Build Identifier: HTTP/0.9 is very obsolete by now, and one of the biggest flaws is that there is no header, making "cross-protocol" XSS attacks possible. Current browsers tries to block common ports used in attacks like SMTP and POP3, but a simple way to fix the problem would be requiring the response to start with "HTTP/", thus ending HTTP/0.9 support. Reproducible: Always
> HTTP/0.9 is very obsolete by now Meaning what? Servers send it all the time. I suggest you look at just the bugs we had in the last few months when we slightly tweaked our HTTP 0.9 handling. I suspect there's no way we can make this change without badly breaking web compat.
But what I am proposing is very simple. Require the response start with "HTTP/".
And what I'm saying is that lots of responses servers send right now do NOT start with that string.
Is HTTP/0.9 commonly used for responses to form submissions? Because these are the most risky.
Based on bug 628832 and bug 632061 I would expect yes (e.g. the Sitecom router in question seems to use it for all its responses).
Status: UNCONFIRMED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → WONTFIX
5 years later, time to revisit this issue, given https://groups.google.com/a/chromium.org/forum/#!topic/net-dev/NA3c8OZi4pU HTTP/0.9 needs to go away.
Yes, I can reopen the bug if you want me to.
(In reply to Yuhong Bao from comment #7) > Yes, I can reopen the bug if you want me to. not at this time. thanks.
(In reply to Patrick McManus [:mcmanus] from comment #8) > (In reply to Yuhong Bao from comment #7) > > Yes, I can reopen the bug if you want me to. > > not at this time. thanks. Can we get some information when HTTP/0.9 will be removed? The exploit is in the wild and Firefox is currently vulnerable.
Fully disabling HTTP/0.9 is not possible at this time for compatibility reasons. See bug 1262128 for a potential mitigation strategy (restrict use to reserved HTTP ports).
You need to log in before you can comment on or make changes to this bug.