- From: Mark Nottingham <mnot@mnot.net>
- Date: Wed, 8 Feb 2012 12:25:34 +1100
- To: Roy T. Fielding <fielding@gbiv.com>
- Cc: Eric Lawrence <ericlaw@exchange.microsoft.com>, Bjoern Hoehrmann <derhoermi@gmx.net>, httpbis Group <ietf-http-wg@w3.org>
On 08/02/2012, at 12:22 PM, Roy T. Fielding wrote: > On Feb 7, 2012, at 4:53 PM, Mark Nottingham wrote: > >> Current text: >> """ >> In the interest of robustness, servers SHOULD ignore at least one >> empty line received where a Request-Line is expected. In other >> words, if the server is reading the protocol stream at the beginning >> of a message and receives a CRLF first, it SHOULD ignore the CRLF. >> """ >> >> Proposal: >> >> """ >> In the interest of robustness, servers SHOULD ignore at least one >> empty line received where a Request-Line is expected. In other >> words, if the server is reading the protocol stream at the beginning >> of a message and receives a CRLF first, it SHOULD ignore the CRLF. >> >> Likewise, clients SHOULD ignore at least one empty line received >> where a Status-Line is expected. >> >> Note that this relaxation does not apply to other characters; ignoring >> arbitrary non-whitespace characters before a message enables >> cross-protocol attacks. >> """ > > No, there is no need nor desire for such a relaxation. The first rule is > to allow for backwards-compatible behavior with clients that send CRLF at > the end of a request without including it in the request message body count. > This new addition has no corresponding need. IE is just handling a > message error, which is entirely dependent on the type of client being used. Yeah. I'm on the fence about this one; on the one hand, it's not a hard interop requirement, but on the other, pretty much every client does it, AFAICT. -- Mark Nottingham http://www.mnot.net/
Received on Wednesday, 8 February 2012 01:31:56 UTC