W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: Restricting the HTTP method definition

From: James M Snell <jasnell@gmail.com>
Date: Tue, 20 Aug 2013 19:50:58 -0700
Message-ID: <CABP7Rbcrbdetf2NycTPbVmubHaAtyZKdfyfTvHDtSAmVxvxKBg@mail.gmail.com>
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Tue, Aug 20, 2013 at 6:06 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
>>[snip]
>>  UPPER = %x41-5A
>>  method = UPPER *20( UPPER / "_" / "-" )
>
> No.  The specification already explains why that isn't desirable
> for gateways, and it actually makes the security properties
> of applications worse if they think they can rely on the ABNF
> to limit received syntax lengths.
>

Well, I'm familiar with the passage in the current spec that deals
with request line length, but not any discussion of request line
lengths and what's desirable for gateways. I may have missed it, have
a pointer?

Regardless, I was talking primarily about requirements for new methods
and defining a subset that is a closer reflection of what
implementations do. If it makes it better, however, I'm fine with
dropping the *20 part... just make it:

  UPPER = %x41-5A
  method = UPPER *( UPPER / "_" / "-" )

how's that?

- James

> ....Roy
>
Received on Wednesday, 21 August 2013 02:51:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:14 UTC