Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#396 closed defect (fixed)

Chrome <--> nginx SPDY/2 misunderstanding

Reported by: Илья Шипицин Owned by:
Priority: minor Milestone: 1.5.3
Component: nginx-core Version: 1.3.x
Keywords: spdy Cc:
uname -a:
nginx -V: nginx version: nginx/1.4.1
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --with-cc=egcc --conf-path=/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --lock-path=/var/nginx/tmp/nginx.lock --http-client-body-temp-path=/var/nginx/tmp/client_body_temp --http-proxy-temp-path=/var/nginx/tmp/proxy_temp --http-fastcgi-temp-path=/var/nginx/tmp/fastcgi_temp --http-scgi-temp-path=/var/nginx/tmp/scgi_temp --http-uwsgi-temp-path=/var/nginx/tmp/uwsgi_temp --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --user=_nginx --group=_nginx --with-http_gzip_static_module --with-http_ssl_module --with-http_stub_status_module --with-ipv6 --with-pcre-jit --with-http_realip_module --with-http_sub_module --with-http_spdy_module --with-debug --add-module=../nginx-sticky-module-1.1 --add-module=../lua-nginx-module-0.8.2rc1

Description

during XMLHttpRequest empty headers may be added. According to SPDY specifications server MUST issue stream error.

however, Chrome neglects that idea and allows empty headers to pass out.

look what happens:

https://spdy2.skbkontur.ru - nginx, SPDY/2
https://spdy3.skbkontur.ru - node.js, SPDY/3

I beleive that it is bug of Chrome, however, we can nothing or little to do here, it is not possible to upgrade 25% of internet users (how many of them use Chrome ? I beleive about 25%).

Change History (3)

comment:1 by Илья Шипицин, 7 years ago

comment:2 by Valentin V. Bartenev, 7 years ago

Resolution: fixed
Status: newclosed

Fixed in 8ef1722143dc.

comment:3 by Valentin Bartenev <vbart@…>, 7 years ago

In 8ef1722143dccf9f884010e448263bbbfe08dab5/nginx:

SPDY: do not reject headers with empty value (ticket #396).

A quote from SPDY draft 2 specification: "The length of each name and
value must be greater than zero. A receiver of a zero-length name or
value must send a RST_STREAM with code PROTOCOL error."

But it appears that Chrome browser allows sending requests over SPDY/2
connection using JavaScript that contain headers with empty values.

For better compatibility across SPDY clients and to be compliant with
HTTP, such headers are no longer rejected.

Also, it is worth noting that in SPDY draft 3 the statement has been
changed so that it permits empty values for headers.

Note: See TracTickets for help on using tickets.