W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: Restricting the HTTP method definition

From: Roy T. Fielding <fielding@gbiv.com>
Date: Tue, 20 Aug 2013 18:06:26 -0700
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <43D7E478-8258-4B76-AF30-2042F37042C9@gbiv.com>
To: James M Snell <jasnell@gmail.com>
On Aug 20, 2013, at 4:22 PM, James M Snell wrote:

> HTTPbis currently defines the request method as a "token" of unbounded-length.
> 
> Specifically:
> 
>   tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." /
>    "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA
>   token = 1*tchar
>   method = token
> 
> This definition is overly broad and does not reflect real world use
> [http://tools.ietf.org/html/draft-ietf-httpbis-method-registrations-12].
> 
> I propose that in HTTP/2 we tighten this definition up significantly
> and place an upper bound on the length a request method ought to be:
> 
>  UPPER = %x41-5A
>  method = UPPER *20( UPPER / "_" / "-" )

No.  The specification already explains why that isn't desirable
for gateways, and it actually makes the security properties
of applications worse if they think they can rely on the ABNF
to limit received syntax lengths.

....Roy
Received on Wednesday, 21 August 2013 01:06:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:14 UTC