- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Mon, 15 Oct 2018 08:25:08 +0200
- To: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 2018-10-15 07:21, Mark Nottingham wrote: > <https://github.com/httpwg/http-core/issues/30> > > We discussed this in Montreal, and there seemed to be support in the room (and on the issues list) for restricting the characters available in HTTP headers to a more reasonable range. > > The straw-man I put into the issue was: > > 1*( "-" / "_" / "." / "+" / DIGIT / ALPHA ) > > What do folks think about this? > > If a server were to reject request headers that include characters outside this range, I think we'd be OK, since browsers don't produce such things (AFAICT; of course, we'd want to look into this more closely first). > > I'd imagine that clients (especially browsers) would want to run some experiments first, and probably warn in the console, etc. before failing hard on this. > > Thoughts? > > Cheers, I'm not convinced (but I could be). What actual problem are we solving with that? Do HTTP clients/servers currently reject illegal field names (do we have tests for that)? If they do not, why? Best regards, Julian
Received on Monday, 15 October 2018 06:25:35 UTC