W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2010

Re: allowable characters in token as used in parameter ABNF

From: Dan Winship <dan.winship@gmail.com>
Date: Fri, 05 Feb 2010 13:04:07 -0500
Message-ID: <4B6C5D97.8050602@gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
CC: Anne van Kesteren <annevk@opera.com>, HTTP Working Group <ietf-http-wg@w3.org>, Mark Nottingham <mnot@mnot.net>
On 02/05/2010 10:59 AM, Julian Reschke wrote:
>> Don't many headers accept more bytes there? E.g. cookie related headers. 
> 
> Indeed, Cookies (as specced in RFC 2109) use that pattern as well.

RFC 2109 isn't used though. Set-Cookie and Cookie are complete
disasters, syntax-wise, and are almost certainly treated as
special-cases even by clients that otherwise use a generic parser.

>> Do many use a generic parser?

Evidence from Digest auth interoperability bugs is that some (probably
most) do, but some don't. Lots of people generate
WWW-Authenticate/Authorization headers under the assumption that the
receiving implementation will just parse it as "token 1#parameter". But
other people have written parsers that require that the parameters are
quoted if and only if they are quoted in RFC 2617 sections 3.2.1 and
3.2.2. (So eg, the "response" parameter MUST be quoted, but the "nc"
parameter MUST NOT be, even though they are both syntactically tokens.)
And then those people file bugs (and write Internet Drafts:
http://tools.ietf.org/html/draft-smith-sipping-auth-examples-01#section-2.1)
yelling at the people who assumed the grammar was generic.

-- Dan
Received on Friday, 5 February 2010 18:04:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:16 GMT