- From: Martin Thomson <mt@lowentropy.net>
- Date: Mon, 23 Aug 2021 15:03:09 +1000
- To: ietf-http-wg@w3.org, "Roy Fielding" <fielding@gbiv.com>
Hey all,
It seems like the allowed characters in fields is a gift that keeps on giving.
Roy opened https://github.com/httpwg/http2-spec/issues/902 asking about DQUOTE and "(),/:;<=>?@[]{}".
The text is here: https://httpwg.org/http2-spec/draft-ietf-httpbis-http2bis.html#name-field-validity
When we made changes for field validation, our intent was not to override requirements in core semantics, but to specify just the bare minimum for interoperability and security. For interoperability we dropped uppercase field names. For security, the focus was on request smuggling. So we block NUL, CR, LF, and COLON, but not a whole lot more.
We ended up saying the following about general validity:
> A recipient MAY treat a message that contains a field name or value that includes other characters disallowed by Section 5.1 of [HTTP] and Section 5.5 of [HTTP] as malformed (Section 8.1.1).
That is, requests that contain DQUOTE and friends are still invalid, but we don't require that HTTP/2 implementations specifically look for those octets and treat those messages as malformed.
Roy points out that there are connected systems (like CGI, which communicates using environment variables; yes in 2021) that depend on field names not containing the above characters. I believe that those systems are still protected by the rules in -semantics. That is, after all, the most appropriate place for requirements of that nature.
The point of the text in HTTP/2 was to strengthen requirements. I've reordered the text in https://github.com/httpwg/http2-spec/pull/936 and I think that is sufficient for this case.
Cheers,
Martin
Received on Monday, 23 August 2021 05:03:43 UTC