Re: Core #30: HTTP Field Name Syntax

On 2018-10-15 07:21, Mark Nottingham wrote:
> <https://github.com/httpwg/http-core/issues/30>
> 
> We discussed this in Montreal, and there seemed to be support in the room (and on the issues list) for restricting the characters available in HTTP headers to a more reasonable range.
> 
> The straw-man I put into the issue was:
> 
> 1*( "-" / "_" / "." / "+" / DIGIT / ALPHA )
> 
> What do folks think about this?
> 
> If a server were to reject request headers that include characters outside this range, I think we'd be OK, since browsers don't produce such things (AFAICT; of course, we'd want to look into this more closely first).
> 
> I'd imagine that clients (especially browsers) would want to run some experiments first, and probably warn in the console, etc. before failing hard on this.
> 
> Thoughts?
> 
> Cheers,

I'm not convinced (but I could be).

What actual problem are we solving with that?

Do HTTP clients/servers currently reject illegal field names (do we have 
tests for that)? If they do not, why?

Best regards, Julian

Received on Monday, 15 October 2018 06:25:35 UTC