W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2007

RE: Message delimiting security issues

From: Larry Masinter <masinter@gmail.com>
Date: Fri, 19 Jan 2007 11:05:46 -0800
To: <ietf-http-wg@w3.org>
Message-ID: <001301c73bfc$d5723ea0$661796c0@adobenet.global.adobe.com>

In my opinion:

* The current spec is ambiguous, and needs clarification
* Although, in general, it is not appropriate to 'tighten'
  a specs requirements, in some cases (and in this case)
  it is the right choice:

  There are few clients that send LWS between header
  name and :.

  There are already many servers that reject such
  requests.

So, in my opinion, we should change the spec that
clients MUST NOT send LWS in headers before the :,
and that servers MUST reject any such message as
malformed.

This may make a few servers that were previously
compliant non-compliant, but in general it will
improve interoperability and security.
Received on Friday, 19 January 2007 19:06:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:00 GMT