Is the spec's explanation of the implications here even sufficient? In addition to the request getting potentially rejected, might it also lead to an actual request smuggling attack if the server *doesn't* reject the request but, instead, interprets it differently? Given the security risk, the current text doesn't seem strong enough to me. On Fri, Jul 16, 2021 at 12:15 PM Carsten Bormann <cabo@tzi.org> wrote: > On 2021-07-16, at 16:33, Mike Bishop <mbishop@evequefou.be> wrote: > > > > prior arrangement with all parties -- and it's otherwise prohibited. > > Why is this one different from other places where the standard is making > clear mandates and there is still behavior out there that violates those? > Are we downgrading all MUSTs to SHOULDs as soon as we see deviating > behavior between consenting implementations in the wild? > > Grüße, Carsten > > >
Received on Friday, 16 July 2021 16:37:32 UTC