Re: allowable characters in token as used in parameter ABNF

On 02/05/2010 10:59 AM, Julian Reschke wrote:
>> Don't many headers accept more bytes there? E.g. cookie related headers. 
> Indeed, Cookies (as specced in RFC 2109) use that pattern as well.

RFC 2109 isn't used though. Set-Cookie and Cookie are complete
disasters, syntax-wise, and are almost certainly treated as
special-cases even by clients that otherwise use a generic parser.

>> Do many use a generic parser?

Evidence from Digest auth interoperability bugs is that some (probably
most) do, but some don't. Lots of people generate
WWW-Authenticate/Authorization headers under the assumption that the
receiving implementation will just parse it as "token 1#parameter". But
other people have written parsers that require that the parameters are
quoted if and only if they are quoted in RFC 2617 sections 3.2.1 and
3.2.2. (So eg, the "response" parameter MUST be quoted, but the "nc"
parameter MUST NOT be, even though they are both syntactically tokens.)
And then those people file bugs (and write Internet Drafts:
yelling at the people who assumed the grammar was generic.

-- Dan

Received on Friday, 5 February 2010 18:04:38 UTC