W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: Call for Adoption: draft-reschke-rfc5987bis

From: Martin J. Dürst <duerst@it.aoyama.ac.jp>
Date: Tue, 31 Mar 2015 16:57:03 +0900
Message-ID: <551A534F.5080702@it.aoyama.ac.jp>
To: Willy Tarreau <w@1wt.eu>, Mark Nottingham <mnot@mnot.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
On 2015/03/31 14:42, Willy Tarreau wrote:
> Also, I'd prefer to make it explicitly forbidden to %-encode US-ASCII
> characters because this could be used to bypass some WAFs for example :
> if it is detected that a server implements this standard and is able
> to %-decode some attributes in header fields, and a WAF in the middle
> does not, the client can abuse the %-encoding to try to hide some
> activities.

This makes a lot of sense, but we have to be careful that this doesn't 
apply to all US-ASCII characters; there will be some that have to be 
escaped because of syntactic constraints.

It's really a pitty that more than 25 years after the first version of 
HTTP, we are still carrying around this kind of antiquated baggage.

I see that UTF-8 is the only encoding that's a MUST in the draft, so at 
least that's progress in the right direction (although rather glacial).

Regards,   Martin.
Received on Tuesday, 31 March 2015 07:57:38 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:36 UTC