Merge pull request #3145 from kazuho/kazuho/permanent-rejection

kazuho · web-flow · commit 7a3121fcd8db · 2025-09-26T13:29:17.000+09:00
WAFs might reject requests permanently
diff --git a/draft-ietf-httpbis-incremental.md b/draft-ietf-httpbis-incremental.md
@@ -142,6 +142,28 @@ generally more consistent with HTTP's architecture.
 
 # Security Considerations
 
+When receiving an incremental request, intermediaries might reject the request
+due to security concerns. The following subsections explore typical scenarios
+under which the intermediaries might reject requests.
+
+
+## Permanent Rejection
+
+Some intermediaries inspect the payload of an HTTP messages and forward them
+only if the content is deemed safe. Any feature that depends on seeing the
+entirety of the message in this way is incompatible with incremental delivery,
+so these intermediaries need to reject requests unless the entire message is
+received.
+
+When an intermediary rejects an incremental message -- either a request or a
+response -- due to security concerns with regard to the payload that the message
+might convey, the intermediary SHOULD respond with a 501 (Not Implemented) error
+with an incremental_refused Proxy-Status response header field
+({{iana-considerations}}).
+
+
+## Temporary Rejection
+
 To conserve resources required to handle HTTP requests or connections, it is
 common for intermediaries to impose limits on the maximum number of concurrent
 HTTP requests that they forward, while buffering requests that exceed this
@@ -159,6 +181,9 @@ intermediaries SHOULD respond with a 429 Too Many Requests error
 accompanied by a connection_limit_reached Proxy-Status response header field
 ({{Section 2.3.12 of PROXY-STATUS}}).
 
+
+## Handling of Small Packets
+
 For performance and efficiency reasons, a small amount of buffering might be
 used by intermediaries, even for incremental messages. Immediate forwarding
 might be exploited to cause an intermediary to waste effort on many small
@@ -193,6 +218,27 @@ Comments:
 : None
 {: spacing="compact"}
 
+An HTTP Proxy Error Type is registered in the HTTP Proxy Error Types registry as
+shown below:
+
+Name:
+: incremental_refused
+
+Description:
+: The HTTP message contained the Incremental HTTP header field, but the
+  intermediary refused to forward the message incrementally.
+
+Extra Parameters:
+: none
+
+Recommended HTTP Status Code:
+: 501
+
+Response Only Generated By Intermediaries:
+: true
+
+Reference:
+: this document
 
 --- back
 
