Java’s setRequestProperty supported, with a caveat

Just a morsel of technical documentation..

Opera's Java implementation will now support HTTPUrlConnection.setRequestProperty but for security reasons (to prevent so called "request smuggling attacks") it will not permit sending several headers. These headers include "Host", "Content-length" and "Transfer-Encoding".

This is the same security policy we apply to the XMLHttpRequest object and I believe the Flash plugin does the same thing for its ActionScript implementation.


2 thoughts on “Java’s setRequestProperty supported, with a caveat

  1. Since you don't permit the sending of host headers, is Opera totally against HTTP 1.1 when requests are sent in these contexts?

  2. No. To clarify: these headers are added as required but by Opera itself. A Java applet or XMLHttpRequest script may not modify these values.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s