Link: http://trac.tools.ietf.org/wg/httpbis/trac/ticket/95
Origin: http://www.w3.org/mid/87k5nu8gbw.fsf@bluewind.rcis.aist.go.jp
Component: p1-messaging
Many servers and proxies accept messages containing two Content-Length: headers in different manners: some interpret the first header, and some do the latter. This has caused "request/response smuggling attacks", when any pair of the server, the proxy, and the clients involved are interpreting those differently. The outcome of the attack is severe: it allows cross-site content injection.
To fix this, I recommend to add the following note to the specification.
Messages MUST NOT include any hop-to-hop header twice. When the server received such a request, it MUST respond with 400 (Bad Request) and close the connection. When the client received such a response, it MUST discard the response and close the connection. The client MUST NOT accept any responses which follow such an invalid response in a keep-alive connection.
The requirement words may be "SHOULD" and "SHOULD NOT", and the restricted headers can be limited to Connection, Transfer-Encoding, and Content-length.