W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2008

Re: Set-Cookie vs list header parsing (i129)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Wed, 27 Aug 2008 18:27:51 -0700
Message-Id: <479AB0D9-7496-4595-819C-D1EF6DE56D42@gbiv.com>
Cc: "'Julian Reschke'" <julian.reschke@gmx.de>, "'Dan Winship'" <dan.winship@gmail.com>, <ietf-http-wg@w3.org>
To: Brian Smith <brian@briansmith.org>

On Aug 27, 2008, at 5:17 PM, Brian Smith wrote:
> Julian Reschke wrote:
>> Does this affect more headers than Set-Cookie?
>
> Dan pointed out that it also affects WWW-Authenticate. Dan's point  
> (which I
> agree with) is that since we've already found two specific header  
> fields
> where combining is problematic, it is safer to just recommend that
> implementors avoid the problem generally. Attempting to solve the  
> problem by
> enumerating the header fields that are known to be problematic is too
> brittle.

That is irrelevant.  We are specifying a deployed protocol, not
something we make up as we go along.  HTTP as deployed says that
all repeated header fields can be folded and that is exactly what
implementations do, with a specific exception for Set-Cookie
(because it was defined outside the IETF process).  I do not know
of any such exception for WWW-Authenticate.

If an implementation can't handle folding, then fix it.

....Roy
Received on Thursday, 28 August 2008 01:28:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:54 GMT