deprecation of HTTP header field line folding, was: APPSDIR review of draft-ietf-httpbis-p1-messaging-24 from Julian Reschke on 2013-10-30 (ietf-http-wg@w3.org from October to December 2013)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 30 Oct 2013 14:53:36 +0100
To: S Moonesamy <sm+ietf@elandsys.com>, apps-discuss@ietf.org, draft-ietf-httpbis-p1-messaging.all@tools.ietf.org
CC: ietf-http-wg@w3.org, ietf@ietf.org
Message-ID: <52710F60.7060206@gmx.de>

On 2013-10-28 17:55, S Moonesamy wrote:
> Hello,
>
> While I was reviewing other drafts in the set I noticed that Section
> 3.2.4 of draft-ietf-httpbis-p1-messaging-24 has the following:
>
>    "Historically, HTTP header field values could be extended over
>     multiple lines by preceding each extra line with at least one space
>     or horizontal tab (obs-fold).  This specification deprecates such
>     line folding except within the message/http media type
>     (Section 8.3.1).  A sender MUST NOT generate a message that includes
>     line folding (i.e., that has any field-value that contains a match to
>     the obs-fold rule) unless the message is intended for packaging
>     within the message/http media type."
>
> There is an IETF specification which interpreted Section 4.2 of RFC 2616
> as follows:
>
>    "the HTTP header syntax allows extending single header values across
>     multiple lines, by inserting a line break followed by whitespace"

<http://tools.ietf.org/html/rfc4918#section-10.4.2>

So yes, this is a change from 2616 that we made due to security problems 
(header injection).

> I'll classify deprecating line folding as an issue.
>
> Section 4.2 of RFC 2616 (and RFC 2068) follows the same generic format
> as that given in Section 3.1 of RFC 822.  Section 2.2 of RFC 2616 states
> that:
>
>    "HTTP/1.1 header field values can be folded onto multiple lines if the
>     continuation line begins with a space or horizontal tab."
>
> I suggest that implementors of specifications which have a dependency on
> RFC 2616 review the relevant section in
> draft-ietf-httpbis-p1-messaging-24 about line folding and comment if
> they consider the deprecation as a problem.

Review is always good.

Note that the change is listed in 
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p1-messaging-24.html#rfc.section.A.2.p.8>:

"Header fields that span multiple lines ("line folding") are deprecated. 
(Section 3.2.4)"

Best regards, Julian

Received on Wednesday, 30 October 2013 13:54:15 UTC