- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Tue, 20 Aug 2013 18:06:26 -0700
- To: James M Snell <jasnell@gmail.com>
- Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Aug 20, 2013, at 4:22 PM, James M Snell wrote: > HTTPbis currently defines the request method as a "token" of unbounded-length. > > Specifically: > > tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." / > "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA > token = 1*tchar > method = token > > This definition is overly broad and does not reflect real world use > [http://tools.ietf.org/html/draft-ietf-httpbis-method-registrations-12]. > > I propose that in HTTP/2 we tighten this definition up significantly > and place an upper bound on the length a request method ought to be: > > UPPER = %x41-5A > method = UPPER *20( UPPER / "_" / "-" ) No. The specification already explains why that isn't desirable for gateways, and it actually makes the security properties of applications worse if they think they can rely on the ABNF to limit received syntax lengths. ....Roy
Received on Wednesday, 21 August 2013 01:06:51 UTC