- From: Martin J. Dürst <duerst@it.aoyama.ac.jp>
- Date: Tue, 31 Mar 2015 16:57:03 +0900
- To: Willy Tarreau <w@1wt.eu>, Mark Nottingham <mnot@mnot.net>
- CC: HTTP Working Group <ietf-http-wg@w3.org>
On 2015/03/31 14:42, Willy Tarreau wrote: > Also, I'd prefer to make it explicitly forbidden to %-encode US-ASCII > characters because this could be used to bypass some WAFs for example : > if it is detected that a server implements this standard and is able > to %-decode some attributes in header fields, and a WAF in the middle > does not, the client can abuse the %-encoding to try to hide some > activities. This makes a lot of sense, but we have to be careful that this doesn't apply to all US-ASCII characters; there will be some that have to be escaped because of syntactic constraints. <rant> It's really a pitty that more than 25 years after the first version of HTTP, we are still carrying around this kind of antiquated baggage. </rant> I see that UTF-8 is the only encoding that's a MUST in the draft, so at least that's progress in the right direction (although rather glacial). Regards, Martin.
Received on Tuesday, 31 March 2015 07:57:38 UTC