- From: Willy Tarreau <w@1wt.eu>
- Date: Mon, 15 Oct 2018 08:02:34 +0200
- To: Mark Nottingham <mnot@mnot.net>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Hi Mark, On Mon, Oct 15, 2018 at 04:21:19PM +1100, Mark Nottingham wrote: > <https://github.com/httpwg/http-core/issues/30> > > We discussed this in Montreal, and there seemed to be support in the room (and on the issues list) for restricting the characters available in HTTP headers to a more reasonable range. > > The straw-man I put into the issue was: > > 1*( "-" / "_" / "." / "+" / DIGIT / ALPHA ) > > What do folks think about this? I totally support this. Right now haproxy only accepts the ones above in addition to : "!" / "#" / "$" / "%" / "&" / "'" / "*" / "^" / "`" / "|" / "~" i.e. everything matching a token. Quite honestly, seeing any character from this extra list in a field name would look extremely suspicious to me, and I'd rather get rid of them. Regards, Willy
Received on Monday, 15 October 2018 06:03:02 UTC