Getting RST_STREAM with Error: CANCEL (8)

[manudhariwal]

Jetty: 10.0.24

Java: 11

We are facing an issue wherein we are getting RST_STREAM with Error: CANCEL (8) when we send the response with below header.

response.setStatus(401);
response.setHeader("WWW-Authenticate", "Bearer realm= Access to service is unauthorized ,\n error=401,\n error_description=Authorization header format is Invalid");

Above header used to work fine in Jetty 9.4.43.v20210629

[sbordet]

Jetty 10 is at end of community support, see:

• EoCS (End of Community Support) for Jetty 10 / Jetty 11 - January 2024 #10485

Please upgrade to Jetty 12 and report back if you still see the issue.

And please, do not use the WWW-Authenticate header to send to the client error messages containing newlines, that's not what that header is meant for.
Fix your application.

[manudhariwal]

Hi @sbordet, greetings,

We understand that this is not what this header is meant for and somehow we have concluded that when we remove the "\n" from the header value, we are able to get the response. Could you please let us know why it was working in Jetty 9.x and not in Jetty 10.x. Does this header value does not support "\n"?

[sbordet]

HTTP header values do not support newlines.

The difference between Jetty 9 and later is due to restricted checks on later Jetty versions about potential security risks.

[joakime]

@manudhariwal line folding (what you are doing with those \n characters) was declared obsolete by RFC7230 back in June 2014, with language that clients MUST NOT send them, and servers MUST fail when encountering them, due to various security issues that the line folding enables.

The support is fully deprecated in the updated RFC9112 back in June 2022. Same strong language about failing the request/response if those are used.

HTTP/2 and HTTP/3 follow this behavior.