- From: Dale Anderson <dra@redevised.net>
- Date: Fri, 30 Dec 2011 09:00:58 -0800
- To: Daniel Stenberg <daniel@haxx.se>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
> It turns out both browsers always unconditionally lower case the host name in URIs so they never send HTTP requests with mixed case. I seen common browsers also "treat" the URI path (percent-encode it, most notably). I appreciate that curl is a li'l more literal for HTTP testing work. I hope curl and libcurl would stay that way and leave standardizing case optional if anything. I only used the python bindings, seems like it would fall under one of those 'setopt' calls to change the default for whether it's standardizing cases to lowercase before constructing the request-line and host header, maybe independent option for request-line and host-header case lowering. > > Why do they do this? Is this behavior of treating names differently based on > case common? If so, should httpbis mention it? > They being HTTP daemons and applications: - they are just used to being fed mechanically-softed lowercase strings from browsers - they weren't tested what happens when that varies - it was cheap and easy to do a quick strcmp() call instead of something case-insensitive - shout out to the implementation that its redirect should be comparing hostnames on a case insensitive basis, else application-delivery/firewall may have to step in to mitigate There can be various exploits and bugs along these lines! Dale Anderson
Received on Friday, 30 December 2011 17:01:32 UTC