- From: David Krauss <potswa@gmail.com>
- Date: Wed, 2 Jul 2014 14:04:34 +0800
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Martin Thomson <martin.thomson@gmail.com>, "Julian F. Reschke" <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
On 2014–07–02, at 1:53 PM, Mark Nottingham <mnot@mnot.net> wrote: > Um, no. Collapsing the two namespaces into one is a security nightmare along the lines of <https://www.owasp.org/index.php/HTTP_Request_Smuggling>. Then, say so in the spec that ALPN tokens shouldn’t alias pseudos with headers and ALPN-basis APIs shouldn’t expose headers as pseudos (the converse of the existing restriction). Just to point out, you don’t have that problem in the first place if you don’t open the second namespace.
Received on Wednesday, 2 July 2014 06:05:19 UTC