- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Thu, 18 Apr 2013 16:30:03 +1200
- To: ietf-http-wg@w3.org
On 18/04/2013 1:18 p.m., Mark Nottingham wrote: > p1 3.2.3 says: > >> BWS is used where the grammar allows optional whitespace, for >> historical reasons, but senders SHOULD NOT generate it in messages; >> recipients MUST accept such bad optional whitespace and remove it >> before interpreting the field value or forwarding the message >> downstream. > http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-22#section-3.2.3 > > Throughout our specs, BWS is used at the end of header fields: > header-field = field-name ":" OWS field-value BWS > > and in transfer-codings: > transfer-parameter = attribute BWS "=" BWS value > > and in Expect headers: > expectation = expect-name [ BWS "=" BWS expect-value] > *( OWS ";" [ OWS expect-param ] ) > expect-param = expect-name [ BWS "=" BWS expect-value ] > > and, finally, in auth-params on challenges and credentials: > auth-param = token BWS "=" BWS ( token / quoted-string ) > > Is this whitespace really "bad" enough to MUST-require that intermediaries (including load balancers and other hardware!) remove it before forwarding the message? For interoperability yes the whitespace is a bit problem. Its presence subtly breaks any implementations looking for tokens with the strict termination delimiter and also opens opportunities for problems related to WS padding headers on maliciously crafted messages. Amos
Received on Thursday, 18 April 2013 04:30:30 UTC