- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Sat, 24 May 2008 11:59:02 +0200
- To: "Zed A. Shaw" <zedshaw@zedshaw.com>
- CC: HTTP Working Group <ietf-http-wg@w3.org>
Zed A. Shaw wrote: > ... > On another note, is there a reason why it's specified this way with > the allowed empty elements at random locations? I have no idea what it's good for and why it was specified this way in the first place. > It makes more sense to just not send anything that'd be empty, rather > than using empty elements. In theory someone could just stream a ton of > ',' to make the server do useless work, which could thwart some poorly > implemented parsers. As far as I recall, it's a known attack vector (don't forget there can be CRs in between the list as well...). > I'm curious about the history if anyone knows it. BR, Julian
Received on Saturday, 24 May 2008 09:59:45 UTC