问题
Is it safe to trust the Content-Length HTTP header? According to the MDN docs it is a Forbidden header name. If I go to that page it says the following.
Modifying such headers is forbidden because the user agent retains full control over them.
But wouldn't there still be a way to spoof these values if you control the user agent?
I'm just trying to figure out how safe it is to trust those headers on that Forbidden header name page and if they are able to be spoofed at all.
回答1:
Given the scenario you describe, yes it's possible for a client to set the incorrect Content-Length. There is no guarantee that it's correct.
If Content-Length is too large, a server might wait and time-out to get the remainder of the data. If it's too small, the server might cut the TCP connection before the entire body came in, or in the case of Connection: Keep-Alive the server might assume the client started another HTTP request, get confused and send a bad request response.
来源:https://stackoverflow.com/questions/49933544/is-http-content-length-header-safe-to-trust