- From: Jamie Lokier <jamie@shareable.org>
- Date: Mon, 6 Mar 2006 18:07:59 +0000
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: jg@freedesktop.org, Larry Masinter <LMM@acm.org>, "'HTTP Working Group'" <ietf-http-wg@w3.org>
On a closely related note... When I joined this list a couple of years ago, I had a couple of questions that were unsatisfactorily answered in RFC2616, and after discussing them here, proposed clearer wording. One, which is a mild kind of security hole because of differing implementations, is whether whitespace is allowed before the colon following a header name. The text seems to suggest yes and no simultaneously depending how you parse it, so I proposed something clearer. Apache's implementation was, after many years, changed from "no" to "yes" ostensibly to fix a security hole, yet it's questionable if that's better or worse because implementations aren't consistent about their interpretation of the space, and a secure proxy (for example) should block rather than allow it, because of that inconsistency. Another, which I questioned and so did someone else a few months later, was about pipelining and Expect: 100-continue. The text on that is a bit unclear in parts, although by deduction there's only one valid behaviour. I had to have it explained to me, so it seemed like a good idea to clarify the text. I joined the list to ask those questions and hoping to clarify the text, if nothing else - if I was confused, you could bet I wasn't the only confused implementor. But how do such changes get to the errata list? I got the impression that the HTTP errata list was no longer accepting additions, and ran out of time and motivation then. -- Jamie
Received on Monday, 6 March 2006 18:08:11 UTC