Re: Expect: 100-continue and "final" status codes

"Peter Occil" <> Wed, 29 May 2013 01:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1D6EF21E804D for <>; Tue, 28 May 2013 18:53:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WyEprH8RFRJi for <>; Tue, 28 May 2013 18:53:08 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id F0D4821E804B for <>; Tue, 28 May 2013 18:53:05 -0700 (PDT)
Received: from lists by with local (Exim 4.72) (envelope-from <>) id 1UhVYl-0002z8-3E for; Wed, 29 May 2013 01:52:15 +0000
Resent-Date: Wed, 29 May 2013 01:52:15 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtp (Exim 4.72) (envelope-from <>) id 1UhVYZ-0002y9-5h for; Wed, 29 May 2013 01:52:03 +0000
Received: from ([]) by with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <>) id 1UhVYT-0001yT-SN for; Wed, 29 May 2013 01:52:03 +0000
Received: by with SMTP id 11so5899695vbe.33 for <>; Tue, 28 May 2013 18:51:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=message-id:from:to:cc:references:in-reply-to:subject:date :mime-version:content-type:x-priority:x-msmail-priority:importance :x-mailer:x-mimeole; bh=lCJxMWJUVwHGFyDddT9sJDZmLisPJFVe5yw/9R5WhbA=; b=cY1oR+CNu1ASgK8eiMLwWuQRoFmOE1HQUqCBxZDSHe9LVrAV82bRCVpiRikV2IJLzL 7rjo/bKkltKDv/1Ts85hOMLVaV99qcyfn0BWjZ7wKoXa7QaUf9cV/9ux3oSHbaUX+3Kz /D3ylHW9PdK97ThlcvBXO/vM+GsNev1drOlw/W1/+XaQK7EamHUBIsEANaDr+Jy123lm 6aAeTRihIzBRTy3ixhW3qfFKeA8TfRwKiQGZ6sNLjZI6E+pbaIYOQj7zcx7oamP8rWzI lGxaI9gmfg+o4OF4RmpYyWfjf76Ek1IV1wm9i8ONYjiSqMv7pw1ZI580th0owmhfhNBC fu+g==
X-Received: by with SMTP id y13mr259122vdt.33.1369792292089; Tue, 28 May 2013 18:51:32 -0700 (PDT)
Received: from PeterPC ( []) by with ESMTPSA id sr7sm20741517vdc.2.2013. for <multiple recipients> (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 28 May 2013 18:51:31 -0700 (PDT)
Message-ID: <C0105E9E3DEE4E28810CC5E095C58FCA@PeterPC>
From: "Peter Occil" <>
To: "Zhong Yu" <>, "Mark Nottingham" <>
Cc: "Willy Tarreau" <>, "Ken Murchison" <>, "HTTP Working Group" <>
References: <><><><><><> <>
In-Reply-To: <>
Date: Tue, 28 May 2013 21:51:23 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0036_01CE5BED.7F285710"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 15.4.3555.308
X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3555.308
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-3.0
X-W3C-Scan-Sig: 1UhVYT-0001yT-SN cc0267aa8d41b5c06a90069912300614
Subject: Re: Expect: 100-continue and "final" status codes
Archived-At: <>
X-Mailing-List: <> archive/latest/18138
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

To make it a bit clearer, change the proposed text “the client will wait before some (possibly unbounded) period of time before sending it” to “the client will wait before some (possibly unbounded) period of time sending the payload body”.


From: Zhong Yu 
Sent: Tuesday, May 28, 2013 11:57 AM
To: Mark Nottingham 
Cc: Willy Tarreau ; Ken Murchison ; HTTP Working Group 
Subject: Re: #467: Expect: 100-continue and "final" status codes

Sounds good. 

I wonder whether this mutual distrust between the client and the server is still valid today. RFC 2616 wrote in 1999 that some servers did not understand 100-continue. Is that still the case? I suspect that most deployed servers today do support 100-continue properly.

Zhong Yu

On Tue, May 28, 2013 at 1:03 AM, Mark Nottingham <> wrote:

  On 18/05/2013, at 3:45 AM, Zhong Yu <> wrote:

  > Hi Mark, I disagree with the change.


  > The old text describes the intended use case - the client should wait for a 100 response before sending the request body. The text then explains the exceptional case - if the server is not known to be 1.1 compliant, the client should not wait forever.
  > Your proposed text emphasizes the exceptional case, making the intended case rather hidden. I personally prefer the old text.

  I'd say that what's usable in practice is pretty far from the intent, and furthermore, the intent isn't terribly clear.

  > One can argue that both texts have the same implication for implementations, which must handle both the intended and exceptional cases anyway.


  > However there is one difference, which I think is critical. According to the old text, if a server is 1.1 compliant, and the client *knows* that the server is 1.1 compliant, client should wait indefinitely for a response from server; it should not unilaterally decide to send the request body.

  Perhaps, but that's a very limited case; in practice, the only way it can be sure of this knowledge is if it has previously received a HTTP/1.1 response on the *same* connection. Since implementations often use a new connection for a request with a body (since they're often unsafe, and the connection could idle out in transit), this isn't terribly common, AIUI (YMMV).

  > According to the proposed text, the client must send the request body after very a short timeout. This is a new requirement on clients, which is probably not damaging, but unjustified nevertheless.

  There aren't any new requirements in there; all of this text is only describing semantics and giving implementation advice. What if we modify the text slightly, e.g.,


  * The request includes a payload body and, after sending the request header section, the client will wait before some (possibly unbounded) period of time before sending it, to give the server an opportunity to reject the request with a final status code. The server can shorten the wait time by sending a 100 (Continue) response.

  With similar modifications as appropriate elsewhere?


  > On Thu, May 16, 2013 at 9:47 PM, Mark Nottingham <> wrote:
  > Looking at this again, I think one of the problems is that people misunderstand what e/c is for.
  > The current definition of 100-continue in requests doesn't help:
  > > 100-continue
  > >
  > >       • The request includes a payload body and the client will wait for a 100 (Continue) response after sending the request header section but before sending the payload body. The 100-continue expectation does not use any expect-params.
  > <>
  > "will wait for" is misleading here; the client might send the body before getting the 100 response. This should really say something like:
  > """
  > 100-continue
  > * The request includes a payload body and, after sending the request header section, the client will wait before some period of time before sending it, to give the server an opportunity to reject the request with a final status code. The server can shorten the wait time by sending a 100 (Continue) response.
  > """
  > It then goes on:
  > > The primary purpose of the 100 (Continue) status code (Section 6.2.1) is to allow a client that is sending a request message with a payload to determine if the origin server is willing to accept the request (based on the request header fields) before the client sends the payload body. In some cases, it might either be inappropriate or highly inefficient for the client to send the payload body if the server will reject the message without looking at the body.
  > Again, I think this is misleading. It should say something like:
  > """
  > The 100-continue expectation and 100 (Continue) status code (Section 6.2.1) are useful when a request that has a large body might be rejected by the server; for example, if the request requires authorization (ref to p7). In these situations, clients will often pause between sending the request headers and its body, to give the server an opportunity to refuse the request.
  > In cases where the request is successful, this can cause a needless delay, as the client waits to time out (a typical period is one second). If the client has send the 100-continue expectation, the server can use the 100 (Continue) status code to indicate that the request is not going to be rejected, thereby avoiding the remainder of this delay period.
  > Note that this mechanism does not change the request message parsing algorithm; in particular, whether or not a final response status code is sent, the client still needs to send a complete request message. As such, if a final status code is received, clients will often choose to close the connection, rather than send a complete request (e.g., if it is length-delimited).
  > """
  > If we can agree on that, I think it'll help guide the rest of the discussion here and in the other E/C related issues:
  > Am I on track?
  > Cheers,
  > On 25/04/2013, at 3:06 AM, Willy Tarreau <> wrote:
  > > On Wed, Apr 24, 2013 at 01:00:42PM -0400, Ken Murchison wrote:
  > >>> 2. If the client receives a final status code instead of 100
  > >>> (Continue), it
  > >>> should stop sending request body if it is doing so; it must close the
  > >>> connection after the response is received.
  > >>
  > >> I don't understand point #2.  If the client submits a request with
  > >> Expect:100-continue, I would assume that the client MUST NOT send any
  > >> part of the body until it receives 100 (Continue) from the server.  If
  > >> the server rejects the request based on the headers (with 412, 415, 417,
  > >> etc) there should be no body data in the pipe for either the client or
  > >> server to worry about, correct?
  > >
  > > In fact the client can decide that it's been waiting too long for 100
  > > and decides to send anyway (because some old servers or intermediaries
  > > do not know about Expect and will wait).
  > >
  > > So what is generally done is that the client sends the headers, waits a
  > > bit then starts to send data if the server does not respond.
  > >
  > > Implementation of expect+100 seems to be a real mess at some places,
  > > but when it works it prove to be quite useful.
  > >
  > > Willy
  > >
  > >
  > --
  > Mark Nottingham

  Mark Nottingham