Skip to main content

1. Overview

This section preserves the RFC text for optimistic HTTP/1.1 protocol transitions, including request smuggling risks, parser exploit risks, existing Upgrade tokens, HTTP CONNECT requirements, and IANA status.

1.  Overview

This document discusses certain security considerations that arise
when switching from HTTP/1.1 to a different protocol on the same
connection. It provides:

* a review of the relevant standards,

* a discussion of the security risks that may apply if a client
sends data before the transition is confirmed,

* a security evaluation of existing upgrade tokens, and

* guidance for implementations and future standards documents.

Updates to [HTTP/1.1] and [CONNECT-UDP], including new normative
requirements, are provided in Sections 8 and 6.3, respectively.