- From: Dan Winship <dan.winship@gmail.com>
- Date: Fri, 05 Feb 2010 13:04:07 -0500
- To: Julian Reschke <julian.reschke@gmx.de>
- CC: Anne van Kesteren <annevk@opera.com>, HTTP Working Group <ietf-http-wg@w3.org>, Mark Nottingham <mnot@mnot.net>
On 02/05/2010 10:59 AM, Julian Reschke wrote: >> Don't many headers accept more bytes there? E.g. cookie related headers. > > Indeed, Cookies (as specced in RFC 2109) use that pattern as well. RFC 2109 isn't used though. Set-Cookie and Cookie are complete disasters, syntax-wise, and are almost certainly treated as special-cases even by clients that otherwise use a generic parser. >> Do many use a generic parser? Evidence from Digest auth interoperability bugs is that some (probably most) do, but some don't. Lots of people generate WWW-Authenticate/Authorization headers under the assumption that the receiving implementation will just parse it as "token 1#parameter". But other people have written parsers that require that the parameters are quoted if and only if they are quoted in RFC 2617 sections 3.2.1 and 3.2.2. (So eg, the "response" parameter MUST be quoted, but the "nc" parameter MUST NOT be, even though they are both syntactically tokens.) And then those people file bugs (and write Internet Drafts: http://tools.ietf.org/html/draft-smith-sipping-auth-examples-01#section-2.1) yelling at the people who assumed the grammar was generic. -- Dan
Received on Friday, 5 February 2010 18:04:38 UTC