- From: Mark Nottingham <mnot@mnot.net>
- Date: Wed, 2 Jul 2014 16:07:51 +1000
- To: David Krauss <potswa@gmail.com>
- Cc: Martin Thomson <martin.thomson@gmail.com>, "Julian F. Reschke" <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
On 2 Jul 2014, at 4:04 pm, David Krauss <potswa@gmail.com> wrote: > > On 2014–07–02, at 1:53 PM, Mark Nottingham <mnot@mnot.net> wrote: > >> Um, no. Collapsing the two namespaces into one is a security nightmare along the lines of <https://www.owasp.org/index.php/HTTP_Request_Smuggling>. > > Then, say so in the spec that ALPN tokens shouldn’t alias pseudos with headers and ALPN-basis APIs shouldn’t expose headers as pseudos (the converse of the existing restriction). > > Just to point out, you don’t have that problem in the first place if you don’t open the second namespace. Now I'm confused. We're currently talking about whether extra :headers are a hard error when http/2 is in use. What's an ALPN-basis API? -- Mark Nottingham https://www.mnot.net/
Received on Wednesday, 2 July 2014 06:08:19 UTC