On 17 September 2016 at 00:02, Mark Thomas <markt_at_apache.org> wrote:
>
> I don't recall a single request for RFC 7239 support from the Tomcat
> community. We have plenty of requests (and support) for X-Forwarded-For
> and friends.
>
Yep - demand for it has been low in Jetty also and we only just recently
added support for it. However it's semantics is sufficiently similar to
the defacto standards that I think any support we give for RFC7239 can
easily be extended to X-Forwarded as a transparent extension.
I think correctly implementing these headers is important for both
functionality and security reasons, more over the RFC version is not
exactly trivial to implement because it does allow for fully parametrized,
quoted, comma separated values. I assume the defacto standard could also
support such values, but as there is no spec implementations get away with
assuming simple values.
If adoption of the RFC is to increase, it would be good for the container
spec to be out front for once and actually provide a service that would
make the transition from defacto standard to standard easy and secure.
--
Greg Wilkins <gregw@webtide.com> CTO http://webtide.com