W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2021

Re: More on allowed field characters

From: Willy Tarreau <w@1wt.eu>
Date: Mon, 23 Aug 2021 10:59:32 +0200
To: Greg Wilkins <gregw@webtide.com>
Cc: Martin Thomson <mt@lowentropy.net>, HTTP Working Group <ietf-http-wg@w3.org>, Roy Fielding <fielding@gbiv.com>
Message-ID: <20210823085932.GB15502@1wt.eu>
Hi Greg,

On Mon, Aug 23, 2021 at 06:15:57PM +1000, Greg Wilkins wrote:
> Roy asks (as I did) why are we allowing any of these non valid HTTP
> characters to be considered possibly valid (or just not invalid) in h2?

Actually that was my concern as well but Martin mentions he only tried
to enforce *extra* checks. Thus it's more a matter or formulation or
where it's placed. Please have a look at the proposal I made in this
thread to explain that this is not exclusive to existing checks.

> I
> think to really address #902 then the "MAY treat non valid HTTP characters
> as malformed" needs to at least be upgraded to a SHOULD.

I also think SHOULD is wanted.

> If we really REALLY need to allow some implementation to accept some
> non-valid HTTP characters, then having something along the lines of what
> Willy suggests that has a "MUST NOT generate invalid HTTP" would go a long
> way to satiate

In my opinion we really do not want them to appear on output nor on input,
and it's fortunate that PortSwigger recently reminded to us how brittle
all this currently is :-)  

Willy
Received on Monday, 23 August 2021 08:59:54 UTC

This archive was generated by hypermail 2.4.0 : Monday, 23 August 2021 08:59:55 UTC