Re: p2: Expect: 100-continue and "final" status codes

Amos Jeffries <> Wed, 24 April 2013 13:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3545121F910E for <>; Wed, 24 Apr 2013 06:30:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.527
X-Spam-Status: No, score=-10.527 tagged_above=-999 required=5 tests=[AWL=0.072, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LZYpC0Jxaccc for <>; Wed, 24 Apr 2013 06:30:58 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id CB1A221F9027 for <>; Wed, 24 Apr 2013 06:30:57 -0700 (PDT)
Received: from lists by with local (Exim 4.72) (envelope-from <>) id 1UUzl6-0000os-9b for; Wed, 24 Apr 2013 13:29:16 +0000
Resent-Date: Wed, 24 Apr 2013 13:29:16 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtp (Exim 4.72) (envelope-from <>) id 1UUzl1-0000o4-2l for; Wed, 24 Apr 2013 13:29:11 +0000
Received: from ([] by with esmtp (Exim 4.72) (envelope-from <>) id 1UUzkz-00005G-HS for; Wed, 24 Apr 2013 13:29:11 +0000
Received: from [] ( []) by (Postfix) with ESMTP id 70923E6F39; Thu, 25 Apr 2013 01:28:42 +1200 (NZST)
Message-ID: <>
Date: Thu, 25 Apr 2013 01:28:38 +1200
From: Amos Jeffries <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: "Adrien W. de Croy" <>
CC: "" <>
References: <em6b971646-ac26-4ca6-98e9-3ff08dca750f@bombed>
In-Reply-To: <em6b971646-ac26-4ca6-98e9-3ff08dca750f@bombed>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-3.449, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: 1UUzkz-00005G-HS dd3c87cb00f70b258d6b4811206c8175
Subject: Re: p2: Expect: 100-continue and "final" status codes
Archived-At: <>
X-Mailing-List: <> archive/latest/17534
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On 24/04/2013 7:46 p.m., Adrien W. de Croy wrote:
> ------ Original Message ------
> From: "Amos Jeffries" <>
>> On 24/04/2013 4:39 p.m., Adrien W. de Croy wrote:
>>> ------ Original Message ------
>>> From: "Mark Nottingham" <>
>>>> On 24/04/2013, at 12:41 PM, Amos Jeffries <> 
>>>> wrote:
>>>>>>>  I think we can give better advice than that. If a server 
>>>>>>> responds with a final status code instead of 100 (Continue)
>>>>>>>  1. The response must be the last response on the connection. 
>>>>>>> The response should contain "Connection: close" header. After 
>>>>>>> the response is written, the server must initiate a lingering 
>>>>>>> close of the connection (p1#6.6).
>>>>>>  That seems too restrictive; as long as the server reads the rest 
>>>>>> of the request properly (discarding it), it should be able to 
>>>>>> recover and reuse the connection.
>>>>>  The problem comes with intermediaries. How are they to know the 
>>>>> bytes following were the original advertised payload or not? the 
>>>>> status from server has no guarantee of arriving after the client 
>>>>> payload starts arriving.
>>>>>  The only way to guarantee safety on the connection is to close it 
>>>>> or always send payload.
>>> I'm really struggling to see what benefit can be derived by a client 
>>> in knowing whether a server supports 100 continue or not. So to me 
>>> Expects: 100-continue is a complete waste of space. I've never seen 
>>> one so I guess implementors by and large agree.
>> I guess you have never tried uploading a video to the YouTube through 
>> an old intermediary which requires authentication. At best (Basic) it 
>> doubles the upload time and can cause the whole transaction to abort 
>> with a timeout. At worst (NTLM) it can do the same while consuming up 
>> to 3x the total size of the uncompressed video in bandwidth. This 
>> exact use-case is why we pushed HTTP/1.1 experiments into Squid-2.7.
> similar issue with webmail uploading attachments.  that's why I wrote 
> I removed the discussion about flow-control after the aforementioned 
> discussion about using chunked transfers for requests.
> But I don't see how 100 continue makes any difference in this case.  
> The client needs to either
> a) close and retry.  This won't work for any connection-oriented auth 
> mechanism.

On the contrary the connection can safely be closed after the first 
request/response and the initial challenge with any mechanism, even 
connection-oriented ones. The credentials state does not exist until the 
followup client request with Authorization: header attached. That is the 
point where closure is a probem for connection-oriented auth, BUT also 
by that point Expect has already taken place and capability is known to 
be available or not.

Squid administrators have been using exactly this challenge+close method 
for some years now to avoid MSIE bugs in NTLM. So we have evidence of 
success outside of Expect.