Re: Permitted characters in HTTP/2 fields

Hi Martin,

On Thu, May 20, 2021 at 02:34:15PM +1000, Martin Thomson wrote:
> Coming back to this.
> 
> Mark points out that if the purpose of these rules is to cut back on ways in
> which smuggling might occur (not prevent, that's a fool's errand), then we
> should also prohibit 0x00-0x1f and 0x7f (the ASCII control characters) and
> 0x20 (SP) from field names.  I think that's reasonable, but I want to check
> here.  That shouldn't make this harder to implement and it might catch some
> genuine problems.

I really agree. I don't remember if 0x80 and above are forbidden in H2 but
I'd personally prefer to block them so that we don't needlessly introduce
the risk of aliasing due to different codings being used. Protocol elements
that define how messages should be delimited/routed/etc must be strictly
defined and easy to enforce in implementations and applications.

Cheers,
Willy

Received on Thursday, 20 May 2021 16:59:29 UTC