W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2010

Re: [#259] Handling invalid Content-Dispostion headers

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 04 Nov 2010 16:16:59 +0100
Message-ID: <4CD2CE6B.4060201@gmx.de>
To: Mark Nottingham <mnot@mnot.net>
CC: httpbis Group <ietf-http-wg@w3.org>, Adam Barth <ietf@adambarth.com>
On 04.11.2010 03:42, Mark Nottingham wrote:
> In looking at Adam's feedback and the resulting discussion, I'm considering whether we should try to define an OPTIONAL error-handling profile that defines a method of handling invalid Content-Disposition field-values.
>
> E.g., this could be an appendix to the specification that lists a set of behaviours, such as:
>    - when there are multiple parameters with the same value, choose the first one
>    - when there are characters that aren't allowed in the BNF, transform them to...
>    - etc.
> that implementers could follow if they wish to. Other specifications could, at their option, require conformance to such a profile.
>
> By necessity, such a thing would not duplicate requirements from the authoritative text, would not override those requirements, and it would not provide alternate algorithms.
>
> To help figure out if this is a productive way to go, I'd like to hear:
>   a) thoughts from folks about this approach, and
>   b) some indication of who'd be willing to contribute text and/or time for testing, and
>   c) expressions of interest from implementers in such an optional profile (i.e., an indication that it's something they'd find useful).
>
> </chair hat>

I believe it would be a waste of energy to specify a specific strategy 
*unless* we have evidence that it's needed in practice. For this 
particular case (Content-Disposition in HTTP) I added several tests for 
invalid headers just to observe whether implementations agree on what to 
do, and in most cases they do not.

In addition, micro-managing this may even be harmful if we end up 
defining different strategies for different headers (for instance for 
Content-Type as compared to Content-Disposition). It seems it would be a 
better use of our time to work on test cases, identify common syntax 
patterns, and help UAs to get their code fixed.

That being said: a potential security risk changes things (see 
Content-Length).

Finally, I'm not opposed to people working on things like Informational 
RFCs on this topic, but we should be careful that these documents then 
really represent cross-UA agreement, and not just what somebody learned 
from several browser's source code. (For instance, HTML5 has 
requirements on Content-Type parsing that disagree with what IE does, 
but the spec claims it's needed for "compatibility with existing content").

Best regards, Julian
Received on Thursday, 4 November 2010 15:17:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:32 GMT