- From: Richard Gibson <richard.j.gibson@oracle.com>
- Date: Tue, 30 Jan 2018 18:40:21 +0000
- To: ietf-http-wg@w3.org
- Message-Id: <253e40ba-1237-c283-293a-046637ae9726@oracle.com>
-------- Forwarded Message -------- Subject: Comment on "Signing HTTP Messages" Date: Mon, 29 Jan 2018 21:55:23 -0500 From: Richard Gibson <richard.j.gibson@oracle.com> <mailto:richard.j.gibson@oracle.com> To: draft-cavage-http-signatures@ietf.org <mailto:draft-cavage-http-signatures@ietf.org>, http-auth@ietf.org <mailto:http-auth@ietf.org> https://tools.ietf.org/html/draft-cavage-http-signatures-09#section-2.2 <https://tools.ietf.org/html/draft-cavage-http-signatures-09#section-2.2> specifies the following: > If any of the parameters listed above are erroneously duplicated in the associated header field, then the last parameter defined MUST be used. This may expose a client security vulnerability for attacks analogous to HTTP header injection. Is there a compelling reason not to reject requests that specify the same parameter more than once? > Any parameter that is not recognized as a parameter, or is not well-formed, MUST be ignored. This will almost certainly limit future changes, since legacy clients won't implement desired behavior changes from new parameters _and_ will fail to signal that inability. Is there a compelling reason not to reject requests that specify unknown parameters?
Received on Wednesday, 31 January 2018 11:14:11 UTC