W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2013

Re: Multiple header fields with the same field name - unwritten assumption about quoted commas in values?

From: Zhong Yu <zhong.j.yu@gmail.com>
Date: Wed, 16 Jan 2013 12:32:22 -0600
Message-ID: <CACuKZqH226evA0v26aop5oXtbjm8m=ePFip=1roJmrA3tygrGg@mail.gmail.com>
To: Willy Tarreau <w@1wt.eu>
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Nico Williams <nico@cryptonector.com>, Mark Nottingham <mnot@mnot.net>, Karl Dubost <karld@opera.com>, Julian Reschke <julian.reschke@gmx.de>, Piotr Dobrogost <p@ietf.dobrogost.net>, ietf-http-wg@w3.org
On Wed, Jan 16, 2013 at 12:52 AM, Willy Tarreau <w@1wt.eu> wrote:
> On Tue, Jan 15, 2013 at 05:12:51PM -0800, Roy T. Fielding wrote:
>> On Jan 15, 2013, at 4:07 PM, Nico Williams wrote:
>>
>> > On Tue, Jan 15, 2013 at 6:01 PM, Mark Nottingham <mnot@mnot.net> wrote:
>> >> On 16/01/2013, at 10:57 AM, Nico Williams <nico@cryptonector.com> wrote:
>> >>> No.  I'm saying that it's OK for apps to do that but not any other
>> >>> entities (middleboxes), mostly because middleboxes can't possibly know
>> >>> about headers that hadn't been registered when they were implemented.
>> >>
>> >> OK. Is this an actual problem you've encountered?
>> >>
>> >> I'm fine with adding some clarifying text if it helps implementers, but I haven't seen this confusing any middlebox vendors; they tend to leave the bits alone...
>> >
>> > I noticed Poul's and someone else's replies that in their middlebox
>> > implementations they concluded that it's never safe to merge headers.
>> > If that's the case (and I do think it follows from the facts that it
>> > is the case) then we should say so rather than leave each implementor
>> > to figure this out on their own.
>>
>> The requirement is on generating headers, so it does not concern
>> middlebox vendors other than for the fields that they add to a message.
>>
>> Apache httpd merges header fields as they are read from the network.
>> So does any correctly written client that reads internet message format
>> (like all of the common MIME and libwww libraries).  If you want to
>> interoperate on the Web, field generators must obey that requirement.
>
> Roy, you're totally right here. If Apache merges multiple instances of
> a header, it is because the client did so, and as per the spec, it was
> allowed to do so because the headers were mergeable.
>
> However I've seen some corner cases caused by applications (not middleboxes)
> sometimes adding a header that was already present and not mergeable (eg:
> the Date or Location header). I know that Apache has a special handling of

If different applications interpret duplicate headers differently, we
have a serious problem

    Location: http://abc.com
    Location: http://xyz.com

Some chooses the 1st one, some chooses the 2nd one, and some may see
the merged `http://abc.com,http://xyz.com` (a valid URI)

We probably should require that an application either reject the
message, or merge the header first if it wants to parse the header.

Zhong Yu

> the Set-Cookie header, I don't know if it does so for other well-known
> non-mergeable headers which are supposed to contain commas.
>
> Due to this mess caused by bogus applications, I finally decided that I
> won't merge headers in haproxy, I didn't want to start dealing with a list
> of exceptions. And I think it's the same reasoning for Poul Henning.
>
> That said, I disagree with having the spec declare Apache non-compliant,
> as it is doing the correct job in my opinion, as long as clients are
> compliant.
>
> But probably we could discourage future middlebox implementors from merging,
> by making them aware of the difficulty of doing it right. This would just be
> a non-normative warning then.
>
> Willy
>
>
Received on Wednesday, 16 January 2013 18:32:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 16 January 2013 18:32:52 GMT