Re: Permitted characters for http keys from James M Snell on 2013-02-25 (ietf-http-wg@w3.org from January to March 2013)

From: James M Snell <jasnell@gmail.com>
Date: Mon, 25 Feb 2013 15:26:46 -0800
To: Mark Nottingham <mnot@mnot.net>
Cc: Martin Dürst <duerst@it.aoyama.ac.jp>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, Roberto Peon <grmocg@gmail.com>
Message-ID: <CABP7RbeQTD1Mtm6tK9gd-w197XC=HV5CwD9aFF30ujkY=eH5uA@mail.gmail.com>

Sigh.. ok, how about the part about limiting header field name length
to <= 0xFF?

On Mon, Feb 25, 2013 at 3:02 PM, Mark Nottingham <mnot@mnot.net> wrote:
> I'd be really, really wary of this. They may not be standard or common, but I've seen many headers that exercise the stranger characters available, and having them break in HTTP/2 would not be good.
>
> Cheers,
>
>
> On 26/02/2013, at 2:58 AM, James M Snell <jasnell@gmail.com> wrote:
>
>> Could we get away with redefining this as simply...
>>
>>     "-" / "." / "_"  / DIGIT / ALPHA
>>
>> With an 8-bit length restriction? (That is, length represent by a single unsigned byte)
>>
>> Given all evidence of current practice, these constraints appear quite reasonable.
>> On Feb 25, 2013 2:36 AM, "Mark Nottingham" <mnot@mnot.net> wrote:
>> Right now, the syntax is:
>>
>>   header-field   = field-name ":" OWS field-value BWS
>>   field-name     = token
>>   token          = 1*tchar
>>   tchar          = "!" / "#" / "$" / "%" / "&" / "'" / "*"
>>                     / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
>>                     / DIGIT / ALPHA ; any VCHAR, except special
>>
>>
>>
>> On 25/02/2013, at 7:57 PM, Martin J. Dürst <duerst@it.aoyama.ac.jp> wrote:
>>
>> > Hello Roberto,
>> >
>> > What do you mean with "header key"? Do you mean header field names? E.g. the "Host" in the host header (field), and so on?
>> >
>> > In that case, I agree. Please note that [RFC5322] allows all US-ASCII printable characters except ":" in optional header field names (Section 3.6.8). I had to learn this (and the "header field", "header field name",... terminology) while working on RFC 6068.
>> >
>> > I'm not sure this also applies to HTTP, but it may as well do so. Of course, a header field name like "^$&%*@(!]" really makes no sense at all, but that's a separate issue.
>> >
>> > Regards,   Martin.
>> >
>> > On 2013/02/20 5:45, Roberto Peon wrote:
>> >> Right now I believe we allow a wider encoding for HTTP keys than is
>> >> necessary.
>> >>
>> >> Does anyone know of any non-crazy use for character values>  127 in the
>> >> header keys (because I really can't think of any)?
>> >>
>> >> -=R
>> >>
>> >
>>
>> --
>> Mark Nottingham   http://www.mnot.net/
>>
>>
>>
>>
>
> --
> Mark Nottingham   http://www.mnot.net/
>
>
>

Received on Monday, 25 February 2013 23:27:34 UTC