8. Requirements for HTTP CONNECT
This section preserves the RFC text for optimistic HTTP/1.1 protocol transitions, including request smuggling risks, parser exploit risks, existing Upgrade tokens, HTTP CONNECT requirements, and IANA status.
8. Requirements for HTTP CONNECT
This document updates [HTTP/1.1] to include the remaining text of
this section. The requirements in this section apply only to
HTTP/1.1.
Proxy clients that send CONNECT requests on behalf of untrusted TCP
clients MUST do one or both of the following:
1. Wait for a 2xx (Successful) response before forwarding any TCP
payload data.
2. Send a "Connection: close" request header.
Proxy clients that don't implement at least one of these two
behaviors are vulnerable to a trivial Request Smuggling attack
([HTTP/1.1], Section 11.2).
At the time of writing, some proxy clients are believed to be
vulnerable as described. As a mitigation, proxy servers MUST close
the underlying connection when rejecting a CONNECT request without
processing any further requests on that connection. This requirement
applies whether or not the request includes a "close" connection
option.
Note that this mitigation will frequently cause slower connection
establishment for correctly implemented clients, especially when
returning a 407 (Proxy Authentication Required) response. This
performance loss can be avoided by using HTTP/2 or HTTP/3, which are
not vulnerable to this attack.
As a performance optimization, proxy servers MAY disable this
mitigation if the client is known to wait for a 2xx (Successful)
response before forwarding untrusted TCP payload data (i.e.,
complying with item 1 above). Proxy servers can identify compliant
clients using the request's User-Agent header field and the user
agent vendor's documentation regarding its compliance.