[PATCH 1 of 2] HTTP: add support for trailers in HTTP responses
piotrsikora at google.com
Thu Jul 14 00:34:32 UTC 2016
> I'm talking about trailers in general (though it's more about
> requests than responses). Normal request (and response)
> processing in nginx assumes that headers are processed before the
> body, and adding trailers (which are headers "to be added later")
> to the picture are likely to have various security implications.
Let's step back a bit... I have no plans to change the processing
logic nor merge trailers with headers. Trailers are going to be
ignored (passed, but not processed) by NGINX, not discarded.
AFAIK, Apache does the same thing.
Basically, at this point, trailers act as metadata for the application
(browser, gRPC, 3rd-party NGINX module, etc.), with no HTTP semantics,
so there are no security implications for NGINX itself.
More information about the nginx-devel