Re: Last Call: <draft-ietf-httpbis-header-structure-18.txt> (Structured Field Values for HTTP) to Proposed Standard

Willy Tarreau <> Sat, 16 May 2020 05:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 33EA23A0771 for <>; Fri, 15 May 2020 22:51:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.749
X-Spam-Status: No, score=-0.749 tagged_above=-999 required=5 tests=[HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8J69Q_FJttyQ for <>; Fri, 15 May 2020 22:51:45 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0E67A3A076F for <>; Fri, 15 May 2020 22:51:22 -0700 (PDT)
Received: from lists by with local (Exim 4.92) (envelope-from <>) id 1jZpj3-00035J-LQ for; Sat, 16 May 2020 05:51:09 +0000
Resent-Date: Sat, 16 May 2020 05:51:09 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1jZpj1-00034X-N3 for; Sat, 16 May 2020 05:51:08 +0000
Received: from ([] by with esmtp (Exim 4.92) (envelope-from <>) id 1jZpiy-0005VN-NK for; Sat, 16 May 2020 05:51:07 +0000
Received: (from willy@localhost) by pcw.home.local (8.15.2/8.15.2/Submit) id 04G5ogv9009237; Sat, 16 May 2020 07:50:42 +0200
Date: Sat, 16 May 2020 07:50:42 +0200
From: Willy Tarreau <>
To: Poul-Henning Kamp <>
Cc: Julian Reschke <>,,,,,,,
Message-ID: <>
References: <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.6.1 (2016-04-27)
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-7.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: 1jZpiy-0005VN-NK 2def70e024f85b623f1e161882815a91
Subject: Re: Last Call: <draft-ietf-httpbis-header-structure-18.txt> (Structured Field Values for HTTP) to Proposed Standard
Archived-At: <>
X-Mailing-List: <> archive/latest/37639
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On Sat, May 16, 2020 at 05:42:21AM +0000, Poul-Henning Kamp wrote:
> --------
> In message <>de>, Julian Reschke writes
> :
> >I have no idea what the exact proposal would be. Fail when multiple
> >instances are there?
> That has always been my stance:  Multiple instances of the same
> header should have been banned long ago, ideally before the
> Cookie-Mistake allowed the total plunder of our privacy.

I disagree. Lots of components by then already needed to append
"connection: close", "cache-control: no-cache", "x-forwarded-for: foo"
and so on without having the ressources required to check for their
existence, or having the programmatic flexibility to let the user
express what to do. Don't forget that 20 years ago this was very
common and the amount of available CPU and RAM wasn't the same as

I think that the current definition is fine and reasonable. It doesn't
pose any problem as long as those who care about the field's value are
able to reject partial values. Those in the middle who aggregate the
partial values are not impacted if they don't use it, so the real
recipient for this header is the last one which either sees invalid,
partial values, or a complete, valid one.