1

Given a web app (netcoreapp3.0 hosted in IIS) -- any requests with certain values for Accept-Encoding header never gets to the application. http.sys parses and spits out a 400 - BadRequest.

i.e., Accept-Encoding: application/gzip,gzip

The issue seems to be the '/' character.

We are not in control of the client(s) and would like to not ask to have them conform/change their client's requests. Their requests work with other (non IIS) servers.

Unless I'm reading the spec incorrectly -- I believe the above value is valid for the header. Thought about asking or reporting a bug in github - dotnet/aspnetcore - but not sure if it's a bug.

Thanks for any advice.

Would like to avoid a Kestrel w/ apache | nginx reverse proxy.

jimnkey
  • 372
  • 2
  • 10

1 Answers1

0

As far as I know, the accept and accept-Encoding is not the same header. So you read the wrong article.

The right RFC article is :https://www.rfc-editor.org/rfc/rfc7231#section-5.3.4

  The "Accept-Encoding" header field can be used by user agents to
   indicate what response content-codings (Section 3.1.2.1) are
   acceptable in the response.  An "identity" token is used as a synonym
   for "no encoding" in order to communicate when no encoding is
   preferred.

     Accept-Encoding  = #( codings [ weight ] )
     codings          = content-coding / "identity" / "*"

So it doesn't support the "/". There is no way to modify the setting to allow IIS access the wrong header.

Community
  • 1
  • 1
Brando Zhang
  • 22,586
  • 6
  • 37
  • 65
  • I added the proper anchor now --- but all you had to do was scroll down a little to get to Accept-Encoding. Regardless, it does say it's similar. Not understanding what you mean by "allow IIS access the wrong header". BUT, the link you provide did help a bit to get to the standard for allowed values -- which should be 'token's - https://tools.ietf.org/html/rfc7230#section-3.2.6 . It seems to answer my question -- but I'm afraid I have asked the wrong question. – jimnkey Jan 09 '20 at 21:51
  • I should have asked for options/workarounds (minus the Kestrel option). I'll mark as accepted because it's my fault... – jimnkey Jan 09 '20 at 21:58
  • Second thought though --- even if '/' is not part of a token, it is a delimiter. IMO -- http.sys should not reject it and allow the application to handle whether it's bad or not! e.g., ',' is also a delimiter and it is allowed in that header. – jimnkey Jan 09 '20 at 22:19