- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Mon, 15 Oct 2018 06:26:47 +0000
- To: Mark Nottingham <mnot@mnot.net>
- cc: HTTP Working Group <ietf-http-wg@w3.org>
-------- In message <5A5244C2-02D4-45FF-BC47-3296E450D753@mnot.net>, Mark Nottingham wri tes: ><https://github.com/httpwg/http-core/issues/30> > >We discussed this in Montreal, and there seemed to be support in the = >room (and on the issues list) for restricting the characters available = >in HTTP headers to a more reasonable range. > >The straw-man I put into the issue was: > >1*( "-" / "_" / "." / "+" / DIGIT / ALPHA ) Unless there is normative us of it, I think we should leave out the "." to protect OO languages from smuggling attacks. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Monday, 15 October 2018 06:27:11 UTC