[Backport 2.5.x] Disallow users to send a message-body and Content-Length header field for 1xx, 204 and 304 responses (#6261) #6409
Conversation
… for 1xx, 204 and 304 responses (playframework#6261) As described in RFC7230 section-3.3.2[1], sending a Content-Length header field is not allowed in any response with a status code of 1xx (Informational) or 204 (No Content). This requirement was not forced in Play, which means a user can intentionally set a Content-Length header field like you find from this test code[2]. With regard to a Content-Length header field in a 304 response, we don't allow users to do it currently even a server May send it as mentioned in RFC7230 section-3.3.2. Additionally, as described in RFC7230 section-3.3[3], 1xx responses don't include a message body. With this commit, a message body isn't sent to meet the requirement. Then this fix makes sure that Play never sends a `Content-Length` header field and message-body for 1xx, 204 and 304 responses. The following is the partial citation from RFC7230 section-3.3.2 and 3.3. ``` A server MUST NOT send a Content-Length header field in any response with a status code of 1xx (Informational) or 204 (No Content). A server MUST NOT send a Content-Length header field in any 2xx(Successful) response to a CONNECT request (Section 4.3.6 of [RFC7231]). ``` ``` A server MAY send a Content-Length header field in a 304 (Not Modified) response to a conditional GET request (Section 4.1 of [RFC7232]); a server MUST NOT send Content-Length in such a response unless its field-value equals the decimal number of octets that would have been sent in the payload body of a 200 (OK) response to the same request. ``` ``` All 1xx (Informational), 204 (No Content), and 304 (Not Modified) responses do not include a message body. All other responses do include a message body, although the body might be of zero length. ``` [1] https://tools.ietf.org/html/rfc7230#section-3.3.2 [2] https://github.com/playframework/playframework/blob/2.5.4/framework/src/play-integration-test/src/test/scala/play/it/http/ScalaResultsHandlingSpec.scala#L327 [3] https://tools.ietf.org/html/rfc7230#section-3.3
|
Fails with: [error] * method SwitchingProtocols()play.api.mvc.Result in trait play.api.mvc.Results does not have a correspondent in old version adding methods to a trait makes it bin incompatible. But I guess that's fine for that? |
|
We might just want to remove the extra methods in Results to avoid the binary compatibility issue. |
…gProtocols} As we can't add methods to trait if we want to maintain binary-compatibility, I avoided adding these vals to Results.scala.
|
Thanks for your feedback and review! :) P.S.
Actually mima is correct. We can't add a |
|
Actually I found it not that hard after watching https://www.youtube.com/watch?v=K3sHQrhpvUM&index=15&list=PLX8CzqL3ArzUY6rQAQTwI_jKvqJxrRrP_ retronym has a great talk explaining it (and why it probably won't be "way" better in 2.12) |
|
Haha, glad to hear you've already self-solved it! :) Thanks for the link, will watch it from now :D |
Pull Request Checklist
Helpful things
Purpose
Backport of #6261
References
Please have a look at #6261