Core #30: HTTP Field Name Syntax


We discussed this in Montreal, and there seemed to be support in the room (and on the issues list) for restricting the characters available in HTTP headers to a more reasonable range.

The straw-man I put into the issue was:

1*( "-" / "_" / "." / "+" / DIGIT / ALPHA )

What do folks think about this?

If a server were to reject request headers that include characters outside this range, I think we'd be OK, since browsers don't produce such things (AFAICT; of course, we'd want to look into this more closely first).

I'd imagine that clients (especially browsers) would want to run some experiments first, and probably warn in the console, etc. before failing hard on this.



Mark Nottingham

Received on Monday, 15 October 2018 05:21:54 UTC