[libsoup/mcatanzaro/require-close-notify-comment] socket: Add comment on why we disable require-close-notify

[Michael Catanzaro <mcatanzaro src gnome org>]

commit 11a5a8c66b78ba9c0166ed566f746a2f26815cfb
Author: Michael Catanzaro <mcatanzaro igalia com>
Date:   Sun Jun 23 15:04:32 2019 -0500

    socket: Add comment on why we disable require-close-notify
    
    This will be nice to read 5-10 years from now after I've forgotten why
    this is the way it is. Or for anybody else who winds up investigating it
    in the future.

 libsoup/soup-socket.c | 8 ++++++++
 1 file changed, 8 insertions(+)
---
diff --git a/libsoup/soup-socket.c b/libsoup/soup-socket.c
index afa9be4a..cd883bb5 100644
--- a/libsoup/soup-socket.c
+++ b/libsoup/soup-socket.c
@@ -1367,6 +1367,14 @@ soup_socket_setup_ssl (SoupSocket    *sock,
 
        priv->ssl = TRUE;
 
+       /* We intentionally disable require-close-notify when creating the
+        * GTlsConnection because it's required for web compatibility and
+        * perfectly safe to do with HTTP 1.0 and newer. (It's unsafe in old
+        * HTTP 0.9, but we don't support that.)
+        *
+        * https://security.stackexchange.com/a/82044
+        */
+
        if (!priv->is_server) {
                GTlsClientConnection *conn;
                GSocketConnectable *identity;