- From: Mark Nottingham <mnot@mnot.net>
- Date: Wed, 2 Jul 2014 15:53:23 +1000
- To: David Krauss <potswa@gmail.com>
- Cc: Martin Thomson <martin.thomson@gmail.com>, "Julian F. Reschke" <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
On 2 Jul 2014, at 3:46 pm, David Krauss <potswa@gmail.com> wrote: >> It's a lot more than that; if they're trying to map into HTTP semantics, they'll have to figure out how to represent the headers in existing APIs. > > Simply strip the colon. I suspect that even when the ALPN spec mentions nothing of the sort, it will be a practical workaround anyway. It’s obvious enough to warrant a specific prohibition, if you want folks not to do this. > > Graceful degradation dictates that the subset of HTTP/2 usage surviving translation through HTTP/1.1 should be maximized. Um, no. Collapsing the two namespaces into one is a security nightmare along the lines of <https://www.owasp.org/index.php/HTTP_Request_Smuggling>. -- Mark Nottingham https://www.mnot.net/
Received on Wednesday, 2 July 2014 05:53:53 UTC