Closed sonic182 closed 2 years ago
We have no plans to deviate from the HTTP specification and since the specification even says it can lead to security issues, even more so in this case.
From RFC9112 section 5.1:
No whitespace is allowed between the field name and colon. In the past, differences in the handling of such whitespace have led to security vulnerabilities in request routing and response handling. A server MUST reject, with a response status code of 400 (Bad Request), any received request message that contains whitespace between a header field name and colon. A proxy MUST remove any such whitespace from a response message before forwarding the message downstream.
RFC9112
Thanks for your very precise response :rocket:
This example simulates the same headers parsing that Mint does:
The error is when parsing the header
Strict-Transport-Security : 4838400
which has an space before the colonThe RFC says that it should't happen and
:erlang.decode_package
works correctly displaying an error in that case but... shall mint handle it maybe? to make it more accessible for some servers?