- From: Kevin Marks <kevinmarks@gmail.com>
- Date: Sat, 9 Jul 2016 14:51:53 -0700
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Fri, Jul 8, 2016 at 11:44 AM, Phil Hunt <phil.hunt@oracle.com> wrote: > Not sure if this has been discussed. One of the biggest problems with HTTP > request signing has been repeat headers. It presents problem of detecting > which headers are intended and which header was signed first. > > It would be nice if the JSON encoding handled arrays so that the demand for > duplicate headers is removed. Signing could then be more successful and > could even stipulate that the presence of a repeat header in a signed > request is a failure condition. > JSON doesn't help with this, as key order in objects (as opposed to lists) is not required or defined. Different programming languages behave differently here when iterating. PHP preserves definition order, python orders by hash of the key, and Go randomises the order (to prevent accidental dependencies). Parsing JSON into native form and writing it out again makes key order indeterminate. As http headers have order dependent behaviour, this is a problem with replacing the key: value with JSON.
Received on Saturday, 9 July 2016 21:52:23 UTC