W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2009

Closing #30: Header LWS

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 6 Apr 2009 19:58:11 +1000
Message-Id: <111103EC-7B67-464E-9220-7F8884B26758@mnot.net>
To: HTTP Working Group <ietf-http-wg@w3.org>
With the ABNF changes and explicit whitespace in the -06 drafts, the  
editors believe that issue #30 is addressed.

Specifically;

1. Is LWS permitted between the field-name and colon?

No, because this is a security issue. Relevant text from p1:

> No whitespace is allowed between the header field-name and colon.  
> For security reasons, any request message received containing such  
> whitespace MUST be rejected with a response code of 400 (Bad  
> Request) and any such whitespace in a response message MUST be  
> removed.

2. What about LWS before the field-name?

Not allowed in the proposed grammar.


--
Mark Nottingham     http://www.mnot.net/
Received on Monday, 6 April 2009 09:58:49 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:19 UTC