W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2021

Re: #904: Content on GET requirement strength

From: David Benjamin <davidben@chromium.org>
Date: Fri, 16 Jul 2021 12:37:03 -0400
Message-ID: <CAF8qwaDXjHZ6cQO5512VsDi7ZRT0wq5h3NQWuR4x67Fq_Qn9Mg@mail.gmail.com>
To: Carsten Bormann <cabo@tzi.org>
Cc: Mike Bishop <mbishop@evequefou.be>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Is the spec's explanation of the implications here even sufficient? In
addition to the request getting potentially rejected, might it also lead to
an actual request smuggling attack if the server *doesn't* reject the
request but, instead, interprets it differently?

Given the security risk, the current text doesn't seem strong enough to me.

On Fri, Jul 16, 2021 at 12:15 PM Carsten Bormann <cabo@tzi.org> wrote:

> On 2021-07-16, at 16:33, Mike Bishop <mbishop@evequefou.be> wrote:
> >
> > prior arrangement with all parties -- and it's otherwise prohibited.
>
> Why is this one different from other places where the standard is making
> clear mandates and there is still behavior out there that violates those?
> Are we downgrading all MUSTs to SHOULDs as soon as we see deviating
> behavior between consenting implementations in the wild?
>
> Grüße, Carsten
>
>
>
Received on Friday, 16 July 2021 16:37:32 UTC

This archive was generated by hypermail 2.4.0 : Friday, 16 July 2021 16:37:34 UTC