Matt Menke

Unfortunately, removing old behavior here is now pretty resource intensive, in terms of launch process in Chrome: * Add code to gather data, wait months for data. * Get feedback...

Another fun one: Chrome allows 4 bytes of random slop between requests, before the start of headers. I believe this was copied from FireFox of IE's behavior at the time....

A couple thoughts (note that I'm no longer on Chrome's network team, though still care about this area). > Several other differences I discovered: > > 1. Space (or tab)...

Chrome rejects incomplete headers over HTTPS, as an attack mitigation, but allows them over HTTP. That change resulted in very few bug reports. While the increased prevalence of HTTPS hopefully...

That's unfortunate. Would be nice if we could align on lone-cr.window.js, but that would potentially cause a lot of breakage. Looks like Safari is passing a fair number of the...

Seems like that would be doable for TLS client auth, but gets very weird in the HTTP auth + socket limits case, so I'd rather not go in this direction....

Oh, sorry - I was reading the original proposal. Just getting rid of segregating credentialed sockets... it's a big enough change (yet still pretty invisible), that I'd be reluctant to...

It's been 3 years since I made that comment, but I think that comment can probably be ignored. I believe I was concerned about enterprises distinguishing between connections that were...

Worth noting that while RFC 2616 is of course obsolete, the current RFC has similar language (https://datatracker.ietf.org/doc/html/rfc7235).

I think a 403 would be reasonable, though I'm no expert on how 403 are typically used (or intended to be used). Another option would be to return a 200...