Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8213696

Make restricted headers in HTTP Client configurable and remove Date by default

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P4
    • Resolution: Approved
    • Fix Version/s: 12
    • Component/s: core-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      Hide
      No API change. Just adding a new property which allows additional headers to be set. The change also fixes a bug where it was allowed to set an Authorization or Proxy-Authorization header even if an authenticator object was set, which is supposed to manage these headers. It is unlikely that this behavior change will cause unexpected problems.
      Show
      No API change. Just adding a new property which allows additional headers to be set. The change also fixes a bug where it was allowed to set an Authorization or Proxy-Authorization header even if an authenticator object was set, which is supposed to manage these headers. It is unlikely that this behavior change will cause unexpected problems.
    • Interface Kind:
      System or security property

      Description

      Summary

      Allow setting of restricted HTTP request headers through a configurable networking property.

      Problem

      There have been a few complaints from developers needing to set HTTP request headers that are on an implementation-specific restricted list. On a number of previous occasions some of these headers have been removed from the restricted list. It makes most sense to make the list configurable so that the implementation does not have to change each time a new request is received.

      Solution

      Create a networking property which lists the restricted headers that are to be allowed.

      Specification

      Create a new networking/system property called jdk.httpclient.allowRestrictedHeaders which lists the restricted header names to be allowed. The property can be set in either net.properties or as a system property on the command line.

      The following text is to be added to the 'net.properties' properties file

      #
      # Allow restricted HTTP request headers
      #
      # By default, the following request headers are not allowed to be set by user code
      # in HttpRequests: "connection", "content-length", "expect", "host" and "upgrade".
      # The 'jdk.httpclient.allowRestrictedHeaders' property allows one or more of these
      # headers to be specified as a comma separated list to override the default restriction.
      # The names are case-insensitive and white-space is ignored (removed before processing
      # the list). Note, this capability is mostly intended for testing and isn't expected
      # to be used in real deployments. Protocol errors or other undefined behavior is likely
      # to occur when using them. The property is not set by default.
      # Note also, that there may be other headers that are restricted from being set
      # depending on the context. This includes the "Authorization" header when the
      # relevant HttpClient has an authenticator set. These restrictions cannot be
      # overridden by this property.
      #
      # jdk.httpclient.allowRestrictedHeaders=host
      #

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                michaelm Michael McMahon
                Reporter:
                michaelm Michael McMahon
                Reviewed By:
                Chris Hegarty, Daniel Fuchs
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: