W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2008

Re: PROPOSAL: i74: Encoding for non-ASCII headers

From: Martin Duerst <duerst@it.aoyama.ac.jp>
Date: Tue, 01 Apr 2008 14:15:52 +0900
Message-Id: <6.0.0.20.2.20080401125526.0a7320c0@localhost>
To: "Roy T. Fielding" <fielding@gbiv.com>, Henrik Nordstrom <henrik@henriknordstrom.net>
Cc: Julian Reschke <julian.reschke@gmx.de>, Stefan Eissing <stefan.eissing@greenbytes.de>, Robert Sayre <rsayre@mozilla.com>, Jamie Lokier <jamie@shareable.org>, HTTP Working Group <ietf-http-wg@w3.org>

At 03:28 08/04/01, Roy T. Fielding wrote:
>
>On Mar 31, 2008, at 10:51 AM, Henrik Nordstrom wrote:

>> But at least IE6 has optional support for sending URLs using raw  
>> UTF-8,
>> and it do send raw UTF-8 in the Host header in such setups..
>
>Whoa, that will open up a new can of security worms.

Do you mean due to the nature of UTF-8, or due to
implementations that didn't do enough defensive programming?

Some of this has been around for quite a while.
With security, there is no 100%, but the chances are that
potential security holes have already received some
scrutinity.

Regards,    Martin.


#-#-#  Martin J. Du"rst, Assoc. Professor, Aoyama Gakuin University
#-#-#  http://www.sw.it.aoyama.ac.jp       mailto:duerst@it.aoyama.ac.jp     
Received on Tuesday, 1 April 2008 06:26:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:46 GMT