- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Wed, 27 Aug 2008 18:27:51 -0700
- To: Brian Smith <brian@briansmith.org>
- Cc: "'Julian Reschke'" <julian.reschke@gmx.de>, "'Dan Winship'" <dan.winship@gmail.com>, <ietf-http-wg@w3.org>
On Aug 27, 2008, at 5:17 PM, Brian Smith wrote: > Julian Reschke wrote: >> Does this affect more headers than Set-Cookie? > > Dan pointed out that it also affects WWW-Authenticate. Dan's point > (which I > agree with) is that since we've already found two specific header > fields > where combining is problematic, it is safer to just recommend that > implementors avoid the problem generally. Attempting to solve the > problem by > enumerating the header fields that are known to be problematic is too > brittle. That is irrelevant. We are specifying a deployed protocol, not something we make up as we go along. HTTP as deployed says that all repeated header fields can be folded and that is exactly what implementations do, with a specific exception for Set-Cookie (because it was defined outside the IETF process). I do not know of any such exception for WWW-Authenticate. If an implementation can't handle folding, then fix it. ....Roy
Received on Thursday, 28 August 2008 01:28:33 UTC