- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Tue, 7 Feb 2012 17:22:35 -0800
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Eric Lawrence <ericlaw@exchange.microsoft.com>, Bjoern Hoehrmann <derhoermi@gmx.net>, httpbis Group <ietf-http-wg@w3.org>
On Feb 7, 2012, at 4:53 PM, Mark Nottingham wrote: > Current text: > """ > In the interest of robustness, servers SHOULD ignore at least one > empty line received where a Request-Line is expected. In other > words, if the server is reading the protocol stream at the beginning > of a message and receives a CRLF first, it SHOULD ignore the CRLF. > """ > > Proposal: > > """ > In the interest of robustness, servers SHOULD ignore at least one > empty line received where a Request-Line is expected. In other > words, if the server is reading the protocol stream at the beginning > of a message and receives a CRLF first, it SHOULD ignore the CRLF. > > Likewise, clients SHOULD ignore at least one empty line received > where a Status-Line is expected. > > Note that this relaxation does not apply to other characters; ignoring > arbitrary non-whitespace characters before a message enables > cross-protocol attacks. > """ No, there is no need nor desire for such a relaxation. The first rule is to allow for backwards-compatible behavior with clients that send CRLF at the end of a request without including it in the request message body count. This new addition has no corresponding need. IE is just handling a message error, which is entirely dependent on the type of client being used. ....Roy
Received on Wednesday, 8 February 2012 01:25:51 UTC