Closed
Bug 632524
Opened 13 years ago
Closed 13 years ago
End support for HTTP/0.9
Categories
(Core :: Networking: HTTP, enhancement)
Core
Networking: HTTP
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: yuhongbao_386, Unassigned)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Build Identifier: HTTP/0.9 is very obsolete by now, and one of the biggest flaws is that there is no header, making "cross-protocol" XSS attacks possible. Current browsers tries to block common ports used in attacks like SMTP and POP3, but a simple way to fix the problem would be requiring the response to start with "HTTP/", thus ending HTTP/0.9 support. Reproducible: Always
Comment 1•13 years ago
|
||
> HTTP/0.9 is very obsolete by now
Meaning what?
Servers send it all the time. I suggest you look at just the bugs we had in the last few months when we slightly tweaked our HTTP 0.9 handling.
I suspect there's no way we can make this change without badly breaking web compat.
Reporter | ||
Comment 2•13 years ago
|
||
But what I am proposing is very simple. Require the response start with "HTTP/".
Comment 3•13 years ago
|
||
And what I'm saying is that lots of responses servers send right now do NOT start with that string.
Reporter | ||
Comment 4•13 years ago
|
||
Is HTTP/0.9 commonly used for responses to form submissions? Because these are the most risky.
Comment 5•13 years ago
|
||
Based on bug 628832 and bug 632061 I would expect yes (e.g. the Sitecom router in question seems to use it for all its responses).
Updated•13 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
5 years later, time to revisit this issue, given https://groups.google.com/a/chromium.org/forum/#!topic/net-dev/NA3c8OZi4pU HTTP/0.9 needs to go away.
Reporter | ||
Comment 7•8 years ago
|
||
Yes, I can reopen the bug if you want me to.
Comment 8•8 years ago
|
||
(In reply to Yuhong Bao from comment #7) > Yes, I can reopen the bug if you want me to. not at this time. thanks.
(In reply to Patrick McManus [:mcmanus] from comment #8) > (In reply to Yuhong Bao from comment #7) > > Yes, I can reopen the bug if you want me to. > > not at this time. thanks. Can we get some information when HTTP/0.9 will be removed? The exploit is in the wild and Firefox is currently vulnerable.
Comment 10•7 years ago
|
||
Fully disabling HTTP/0.9 is not possible at this time for compatibility reasons. See bug 1262128 for a potential mitigation strategy (restrict use to reserved HTTP ports).
You need to log in
before you can comment on or make changes to this bug.
Description
•