Re: Permitted characters in HTTP/2 fields

Coming back to this.

Mark points out that if the purpose of these rules is to cut back on ways in which smuggling might occur (not prevent, that's a fool's errand), then we should also prohibit 0x00-0x1f and 0x7f (the ASCII control characters) and 0x20 (SP) from field names.  I think that's reasonable, but I want to check here.  That shouldn't make this harder to implement and it might catch some genuine problems.  (Mark includes citations in discussion on the pull request.)

https://github.com/httpwg/http2-spec/pull/846 has been updated.  I hope, assuming that chairs are OK, this can be merged soon.

On Wed, Apr 28, 2021, at 08:00, Greg Wilkins wrote:
> By all means change the permissible character in fields, but do it with 
> precise ABNF. If there is to be a difference between what SHOULD be 
> sent and what MUST be checked, then have two sets of ABNF.

I don't think that it makes sense to use ABNF for this.  The text seems pretty clear (even if I just wrote it and so prone to missing errors).   That's just my opinion regarding what you seem to be suggesting is an editorial decision.

Received on Thursday, 20 May 2021 04:34:52 UTC