diff options
author | dgaudet <dgaudet@unknown> | 1999-06-04 17:15:48 +0000 |
---|---|---|
committer | dgaudet <dgaudet@unknown> | 1999-06-04 17:15:48 +0000 |
commit | b709b72933e84b053c759fd8dbc43490c1b57abb (patch) | |
tree | 165450e11a3b96546da9442073d2d2884ef08722 /docs/manual/content-negotiation.html.en | |
parent | c4d053948cd91d178063cb178aa13b8633e7181d (diff) | |
download | httpd-b709b72933e84b053c759fd8dbc43490c1b57abb.tar.gz |
This patch removes the processing of `mxb' parameters in Accept
headers in mod_negotiation. A second patch updates the manual to
reflect this (mxb is not documented directly in the manual but support
for it is implied in one place).
Reasons for removing this feature:
1) As currently implemented, the 'mxb' feature makes possible certain
denial-of-service attacks on negotiated content. These attacks are
posssible for user communities which access an Apache server from
behind a HTTP/1.1 proxy which implements `Vary' related optimisations.
Plugging this denial of service hole without removing `mxb' is fairly
expensive in terms of degrading caching efficiency.
2) `mxb' is not in HTTP/1.0 or HTTP/1.1 or any other standard
3) Nobody seems to make use of 'mxb'. (Balachander Krishnamurthy
kindly offered to grep some of his web traffic traces -- he did not
find a single Accept with mxb in a whole day of recent traffic, nor in
older traces)
4) Removing a feature makes a nice change from adding features.
Submitted by: Koen Holtman <Koen.Holtman@cern.ch>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@83288 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'docs/manual/content-negotiation.html.en')
-rw-r--r-- | docs/manual/content-negotiation.html.en | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/docs/manual/content-negotiation.html.en b/docs/manual/content-negotiation.html.en index 11dd0dbb4b..7bfaee5afa 100644 --- a/docs/manual/content-negotiation.html.en +++ b/docs/manual/content-negotiation.html.en @@ -196,10 +196,9 @@ The full list of headers recognized is: for compress'd files, and <CODE>x-gzip</CODE> for gzip'd files. The <CODE>x-</CODE> prefix is ignored for encoding comparisons. <DT> <CODE>Content-Length:</CODE> - <DD> The size of the file. Clients can ask to receive a given media - type only if the variant isn't too big; specifying a content - length in the map allows the server to compare against these - thresholds without checking the actual file. + <DD> The size of the file. Specifying content + lengths in the type-map allows the server to compare file sizes + without checking the actual files. <DT> <CODE>Description:</CODE> <DD> A human-readable textual description of the variant. If Apache cannot find any appropriate variant to return, it will return an error |