- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Tue, 01 Jul 2014 09:14:16 +0200
- To: Anne van Kesteren <annevk@annevk.nl>
- CC: Mark Nottingham <mnot@mnot.net>, Barry Leiba <barryleiba@computer.org>, RFC Errata System <rfc-editor@rfc-editor.org>, Roy Fielding <fielding@gbiv.com>, Pete Resnick <presnick@qti.qualcomm.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 2014-07-01 08:59, Anne van Kesteren wrote: > On Tue, Jul 1, 2014 at 8:45 AM, Julian Reschke <julian.reschke@gmx.de> wrote: >> True, but what would be a bigger concern is the case where draconic error >> handling results in a *loss* of security (and that's not the case here, >> right?). > > I could imagine this being the cause of a crucial subresource not > working. Cannot immediately think of an attack though. > > >> It would be awesome if the people working on Servo would have a look at >> <http://trac.tools.ietf.org/wg/httpbis/trac/wiki/HeaderFieldTypes> and try >> to come up with some kind of library that makes it easier to create parsers >> for the notoriously hard to parse yet similar header fields (C-C, WWW-A, >> C-D, C-T ...) > > It would be, but what we should be aiming for is not requiring > additional work as launching a new client is already very costly. Yes, optimally we already had this framework, both as a spec and as code. Violent agreement over here. What I said is that *if* somebody already is rewriting everything (due to a brand-new language), it would make a lot of sense to do it right this time, instead of coming up with ~10 customer parsers that are all buggy (such as the ones in classical Mozilla). Best regards, Julian
Received on Tuesday, 1 July 2014 07:14:57 UTC