New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue #11292 - Missing Date Response Header. #11293
Issue #11292 - Missing Date Response Header. #11293
Conversation
* Revert changes to boolean values in HttpConfiguration from commit 103e1d9 * Add Unit Tests for Date Response header in ee10 and DistributionTests
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's no need to change from <Property>
to the attribute property
, and would change the default behaviour of jetty. The <Property>
element allows a default value to be specified, whereas using the attribute property
means that the setter won't be called unless a value is specified for the property., leaving the default value up to the code instead. As the server.mod
has commented out value for sendDateHeader
property, the default will revert to the code, which is true
. Usng the <Property>
element with a default of false
means it defaults to false, which seems to have been the case for a long time time, at least from jetty-10 onwards.
So I wouldn't change the xml, but a unit test might be useful to ensure that setting the property values is working as expected.
This is exactly what we want.
This means there is now a difference in default behavior between standalone and embedded. The XML and mod+ini sections should match the code defaults (like all of the other defaults on all of the other XML / INI+MOD sections)
The setSendDateHeader is default true in code and the commented out property. The older |
Yes, however when I reviewed the xml, the property settings and the code defaults in #6348 it was apparent that some property defaults had been different than the code defaults, so we decided to retain that behaviour, and not change to the code defaults. Changing now to default to |
I've not drilled down on this in detail.... I recall looking at this a while ago, as the RFC says that we should always send a Date header, so we are being a little bad by having the default false (can't remember which half of the users it is false for). At the time, I wanted to change to having the default true everywhere.... but then decided we didn't want to make a change that affected half our users. Ultimately, I think this is a case of if it is not really badly broken, then let's not fix it. |
OK, I've looked a bit deeper now and it looks like we had a bit of a long discussion about this 3 years ago in #6348. Is there any reason to re litigate the rough consensus that was determined then? Although I do recall a recent security issue that suggested we change default for allowing relative redirection, as that can prevent internal details from being disclosed in some situations. So that's the type of thing that should provoke a re-review of #6348. In the case of sending As for the original issue, I don't see how the default can affect the behavior with regards to a host header? |
Yeah! this part of the issue is still a total mystery. |
In the jetty.xml , in the httpconfiguration, sendDateHeader default value needs to be set to true |
Why? Do you have authoritative references that require so? |
@sbordet https://datatracker.ietf.org/doc/html/rfc9110#section-6.6.1
|
Fixes: #11292