Re: #409: is parsing OBS-FOLD mandatory? from Willy Tarreau on 2012-12-19 (ietf-http-wg@w3.org from October to December 2012)

From: Willy Tarreau <w@1wt.eu>
Date: Wed, 19 Dec 2012 08:18:58 +0100
To: Mark Nottingham <mnot@mnot.net>
Cc: "Roy T. Fielding" <fielding@gbiv.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <20121219071858.GD21050@1wt.eu>

On Wed, Dec 19, 2012 at 11:55:26AM +1100, Mark Nottingham wrote:
> 
> On 13/12/2012, at 8:18 AM, Willy Tarreau <w@1wt.eu> wrote:
> 
> > On Wed, Dec 12, 2012 at 10:18:28AM -0800, Roy T. Fielding wrote:
> > (...)
> >>> """
> >>> If a received protocol element is processed, the recipient MUST be able to parse any value that would match the ABNF rules for that protocol element, excluding only those rules not applicable to the recipient's role, and those rules whose names begin with "obs-" (e.g., obs-fold).
> >>> """
> >> 
> >> Do we really want to exclude non-ASCII octets (obs-text) and older
> >> date formats (obs-date)?  Do we demote them to SHOULD or MAY?
> > 
> > This is a good point. Line-folding causes security issues and does not
> > seem to be used by senders, but I think we all regularly catch some
> > obs-text and obs-date come from old applications or crippled devices.
> > 
> >> This change is fine with me, but it is a hard break from retaining
> >> compatibility and we need to be absolutely sure we want to do that.
> > 
> > I'd rather not break these ones, personally.
> > 
> > Couldn't we settle on just stating that obs-fold is normally not used,
> > is known to cause security issues when improperly implemented, and
> > should either be completely supported, or rejected, but in all cases
> > must be detected ?
> 
> 
> I'm OK with it either way, as long as we're clear about what we mean, as well
> as what's interoperable.
> 
> This statement is still ambiguous;
> 
> """
> As a convention, ABNF rule names prefixed with "obs-" denote "obsolete"
> grammar rules that appear for historical reasons.
> """
> 
> Perhaps we could start by 
> 
> 1) clarifying what "obsolete" means for senders and recipients in the error
> handling section (I think we've already done most of this, see other part of
> thread)
> 2) referring to that clarification in the ABNF statement quoted above (easy fix)
> 3) re-evaluating the use of the obs- prefix in each case (???)

That sounds like a reasonable plan.

> Personally, I think obs-date and obs-text are justified in having the prefix
> and resulting SHOULD, because they're not really interoperable.

OK. So "SHOULD" could be the default rule for obs-* and exceptions could
be handled specifically (eg: obs-fold).

Willy

Received on Wednesday, 19 December 2012 07:19:29 UTC