End support for HTTP/0.9

RESOLVED WONTFIX

Status

()

Core
Networking: HTTP
--
enhancement
RESOLVED WONTFIX
8 years ago
a year ago

People

(Reporter: Yuhong Bao, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Build Identifier: 

HTTP/0.9 is very obsolete by now, and one of the biggest flaws is that there is no header, making "cross-protocol" XSS attacks possible. Current browsers tries to block common ports used in attacks like SMTP and POP3, but a simple way to fix the problem would be requiring the response to start with "HTTP/", thus ending HTTP/0.9 support.

Reproducible: Always
> HTTP/0.9 is very obsolete by now

Meaning what?

Servers send it all the time.  I suggest you look at just the bugs we had in the last few months when we slightly tweaked our HTTP 0.9 handling.

I suspect there's no way we can make this change without badly breaking web compat.
(Reporter)

Comment 2

8 years ago
But what I am proposing is very simple. Require the response start with "HTTP/".
And what I'm saying is that lots of responses servers send right now do NOT start with that string.
(Reporter)

Comment 4

8 years ago
Is HTTP/0.9 commonly used for responses to form submissions? Because these are the most risky.
Based on bug 628832 and bug 632061 I would expect yes (e.g. the Sitecom router in question seems to use it for all its responses).
Status: UNCONFIRMED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → WONTFIX

Comment 6

2 years ago
5 years later, time to revisit this issue, given https://groups.google.com/a/chromium.org/forum/#!topic/net-dev/NA3c8OZi4pU

HTTP/0.9 needs to go away.
(Reporter)

Comment 7

2 years ago
Yes, I can reopen the bug if you want me to.
(In reply to Yuhong Bao from comment #7)
> Yes, I can reopen the bug if you want me to.

not at this time. thanks.

Comment 9

2 years ago
(In reply to Patrick McManus [:mcmanus] from comment #8)
> (In reply to Yuhong Bao from comment #7)
> > Yes, I can reopen the bug if you want me to.
> 
> not at this time. thanks.

Can we get some information when HTTP/0.9 will be removed? The exploit is in the wild and Firefox is currently vulnerable.
Fully disabling HTTP/0.9 is not possible at this time for compatibility reasons. See bug 1262128 for a potential mitigation strategy (restrict use to reserved HTTP ports).
You need to log in before you can comment on or make changes to this bug.