- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Sat, 22 Mar 2014 08:27:49 +0100
- To: Gabriel Montenegro <Gabriel.Montenegro@microsoft.com>, Mark Nottingham <mnot@mnot.net>, Zhong Yu <zhong.j.yu@gmail.com>, Dave Thaler <dthaler@microsoft.com>, Osama Mazahir <OSAMAM@microsoft.com>, Matthew Cox <macox@microsoft.com>
- CC: HTTP Working Group <ietf-http-wg@w3.org>
On 2014-03-22 06:40, Gabriel Montenegro wrote: > ... >>From Julian: > > Practically, how is a UA supposed to *know* the encoding that was used for the URI *unless' it constructed it itself? (Which is not what browsers do; they only construct the query part). > > If you don't know for sure, then don't use the header. But if you know for sure, it's useful to indicate this fact by using the headers to tighten parsing at the other side. Notice that a malicious agent would have incentive to *not* use the header so as to continue exploiting the legacy situation. Using the header imposes constraints that make it harder to exploit the current situation of non-determinism. I have the impression that some of the confusion is caused by different people making different claims about what recipients will do with the server. My understanding was that Nicolas sees this as a signal that allows him *not* to do certain checks, while you seem to say you want to do *stricter* checks (which makes sense). It would be awesome if the spec was more clear about that. > ... Best regards, Julian
Received on Saturday, 22 March 2014 07:28:26 UTC