W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2006

Re: I-D ACTION:draft-whitehead-http-etag-00.txt

From: Jamie Lokier <jamie@shareable.org>
Date: Mon, 6 Mar 2006 18:07:59 +0000
To: Julian Reschke <julian.reschke@gmx.de>
Cc: jg@freedesktop.org, Larry Masinter <LMM@acm.org>, "'HTTP Working Group'" <ietf-http-wg@w3.org>
Message-ID: <20060306180759.GD1563@mail.shareable.org>

On a closely related note...

When I joined this list a couple of years ago, I had a couple of
questions that were unsatisfactorily answered in RFC2616, and after
discussing them here, proposed clearer wording.

One, which is a mild kind of security hole because of differing
implementations, is whether whitespace is allowed before the colon
following a header name.  The text seems to suggest yes and no
simultaneously depending how you parse it, so I proposed something
clearer.  Apache's implementation was, after many years, changed from
"no" to "yes" ostensibly to fix a security hole, yet it's questionable
if that's better or worse because implementations aren't consistent
about their interpretation of the space, and a secure proxy (for
example) should block rather than allow it, because of that inconsistency.

Another, which I questioned and so did someone else a few months
later, was about pipelining and Expect: 100-continue.  The text on
that is a bit unclear in parts, although by deduction there's only one
valid behaviour.  I had to have it explained to me, so it seemed like
a good idea to clarify the text.

I joined the list to ask those questions and hoping to clarify the
text, if nothing else - if I was confused, you could bet I wasn't the
only confused implementor.

But how do such changes get to the errata list?  I got the impression
that the HTTP errata list was no longer accepting additions, and ran
out of time and motivation then.

-- Jamie
Received on Monday, 6 March 2006 18:08:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:42 GMT