Proxy / gateway behaviour if HTTP response data exceeds content length

Question

How should proxies / gateways behave when http servers send HTTP response where the data size exceeds content-length? Dropping it as a RFC non-compliance is one way to go but looks like there are quite a few implementations/deployments with this behaviour today and this change will end up breaking those URLs.

Will really appreciate any insights/pointers.

Thanks, Dev

Answer 1

If the data size exceeds content-length, the remaining bytes on the wire are considered part of the response to the next (pipelined) request.

If there isn't an outstanding request to match with that response, see https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-p1-messaging-26#section-3.3.3 -

   If the final response to the last request on a connection has been
   completely received and there remains additional data to read, a user
   agent MAY discard the remaining data or attempt to determine if that
   data belongs as part of the prior response body, which might be the
   case if the prior message's Content-Length value is incorrect.  A
   client MUST NOT process, cache, or forward such extra data as a
   separate response, since such behavior would be vulnerable to cache
   poisoning.