W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: consensus on :query ?

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Mon, 21 Jul 2014 14:14:41 +0000
To: Julian Reschke <julian.reschke@gmx.de>
cc: Martin Thomson <martin.thomson@gmail.com>, Willy Tarreau <w@1wt.eu>, Roberto Peon <grmocg@gmail.com>, Phil Hunt <phil.hunt@oracle.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <36626.1405952081@critter.freebsd.dk>
In message <53CD15C8.8030506@gmx.de>, Julian Reschke writes:
>On 2014-07-21 15:20, Martin Thomson wrote:
>> On 21 July 2014 00:53, Willy Tarreau <w@1wt.eu> wrote:
>>>
>>> I'm not sure what you mean, we're speaking about having a single :query
>>> for whatever follows the question mark, right ? If so, all the params
>>> must be tried as a single block.
>>
>> Yes, but there could be cases where the combination of path and query
>> contain sufficiently high entropy in combination, but one or other
>> contains insufficient entropy on its own to resist guessing attacks.
>
>...again, if we do things like that please do not couple it with "?". 
>Just have two parts that get concatenated verbatim to reconstruct the 
>full path+query.

The definition (sorry RFC2616, I don't have the newer one here right
now):

     http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]

So no, '?' it is if we do it.


-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Monday, 21 July 2014 14:15:30 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:09 UTC