- From: Willy Tarreau <w@1wt.eu>
- Date: Mon, 23 Aug 2021 10:59:32 +0200
- To: Greg Wilkins <gregw@webtide.com>
- Cc: Martin Thomson <mt@lowentropy.net>, HTTP Working Group <ietf-http-wg@w3.org>, Roy Fielding <fielding@gbiv.com>
Hi Greg, On Mon, Aug 23, 2021 at 06:15:57PM +1000, Greg Wilkins wrote: > Roy asks (as I did) why are we allowing any of these non valid HTTP > characters to be considered possibly valid (or just not invalid) in h2? Actually that was my concern as well but Martin mentions he only tried to enforce *extra* checks. Thus it's more a matter or formulation or where it's placed. Please have a look at the proposal I made in this thread to explain that this is not exclusive to existing checks. > I > think to really address #902 then the "MAY treat non valid HTTP characters > as malformed" needs to at least be upgraded to a SHOULD. I also think SHOULD is wanted. > If we really REALLY need to allow some implementation to accept some > non-valid HTTP characters, then having something along the lines of what > Willy suggests that has a "MUST NOT generate invalid HTTP" would go a long > way to satiate In my opinion we really do not want them to appear on output nor on input, and it's fortunate that PortSwigger recently reminded to us how brittle all this currently is :-) Willy
Received on Monday, 23 August 2021 08:59:54 UTC