- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Tue, 01 Jul 2014 08:45:48 +0200
- To: Anne van Kesteren <annevk@annevk.nl>, Mark Nottingham <mnot@mnot.net>
- CC: Barry Leiba <barryleiba@computer.org>, RFC Errata System <rfc-editor@rfc-editor.org>, Roy Fielding <fielding@gbiv.com>, Pete Resnick <presnick@qti.qualcomm.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 2014-07-01 08:09, Anne van Kesteren wrote: > On Tue, Jul 1, 2014 at 5:20 AM, Mark Nottingham <mnot@mnot.net> wrote: >> Anne, is there security impact here? > > Rendering > > Content-Type:text/html; > > vs showing some kind of error is one of the issues here. True, but what would be a bigger concern is the case where draconic error handling results in a *loss* of security (and that's not the case here, right?). >> I could see us starting work on a "Tolerant HTTP Header Field Parsing" spec if there's sufficient interest; it's a pretty thankless task, but personally I think it'd be worthwhile, and would contribute. We can spend a few minutes in Toronto on this if anyone else is interested... > > Exhaustive parsing rules for HTTP clients would be good. Having them > differ is a big end user transition problem and can slow development > on new clients, such as Servo. It would be awesome if the people working on Servo would have a look at <http://trac.tools.ietf.org/wg/httpbis/trac/wiki/HeaderFieldTypes> and try to come up with some kind of library that makes it easier to create parsers for the notoriously hard to parse yet similar header fields (C-C, WWW-A, C-D, C-T ...) Best regards, Julian
Received on Tuesday, 1 July 2014 06:46:30 UTC