Re: Permitted characters for http keys from Mark Nottingham on 2013-02-25 (ietf-http-wg@w3.org from January to March 2013)

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 26 Feb 2013 10:02:18 +1100
To: James M Snell <jasnell@gmail.com>
Cc: Martin Dürst <duerst@it.aoyama.ac.jp>, ietf-http-wg@w3.org, Roberto Peon <grmocg@gmail.com>
Message-Id: <890567E7-62B2-4267-BE29-A7E849ADFC1D@mnot.net>

I'd be really, really wary of this. They may not be standard or common, but I've seen many headers that exercise the stranger characters available, and having them break in HTTP/2 would not be good.

Cheers,


On 26/02/2013, at 2:58 AM, James M Snell <jasnell@gmail.com> wrote:

> Could we get away with redefining this as simply...
> 
>     "-" / "." / "_"  / DIGIT / ALPHA
> 
> With an 8-bit length restriction? (That is, length represent by a single unsigned byte)
> 
> Given all evidence of current practice, these constraints appear quite reasonable.
> On Feb 25, 2013 2:36 AM, "Mark Nottingham" <mnot@mnot.net> wrote:
> Right now, the syntax is:
> 
>   header-field   = field-name ":" OWS field-value BWS
>   field-name     = token
>   token          = 1*tchar
>   tchar          = "!" / "#" / "$" / "%" / "&" / "'" / "*"
>                     / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
>                     / DIGIT / ALPHA ; any VCHAR, except special
> 
> 
> 
> On 25/02/2013, at 7:57 PM, Martin J. Dürst <duerst@it.aoyama.ac.jp> wrote:
> 
> > Hello Roberto,
> >
> > What do you mean with "header key"? Do you mean header field names? E.g. the "Host" in the host header (field), and so on?
> >
> > In that case, I agree. Please note that [RFC5322] allows all US-ASCII printable characters except ":" in optional header field names (Section 3.6.8). I had to learn this (and the "header field", "header field name",... terminology) while working on RFC 6068.
> >
> > I'm not sure this also applies to HTTP, but it may as well do so. Of course, a header field name like "^$&%*@(!]" really makes no sense at all, but that's a separate issue.
> >
> > Regards,   Martin.
> >
> > On 2013/02/20 5:45, Roberto Peon wrote:
> >> Right now I believe we allow a wider encoding for HTTP keys than is
> >> necessary.
> >>
> >> Does anyone know of any non-crazy use for character values>  127 in the
> >> header keys (because I really can't think of any)?
> >>
> >> -=R
> >>
> >
> 
> --
> Mark Nottingham   http://www.mnot.net/
> 
> 
> 
> 

--
Mark Nottingham   http://www.mnot.net/

Received on Monday, 25 February 2013 23:02:51 UTC