Re: More on allowed field characters

On Mon, Aug 23, 2021, at 18:59, Willy Tarreau wrote:
> Hi Greg,
> 
> On Mon, Aug 23, 2021 at 06:15:57PM +1000, Greg Wilkins wrote:
> > Roy asks (as I did) why are we allowing any of these non valid HTTP
> > characters to be considered possibly valid (or just not invalid) in h2?
> 
> Actually that was my concern as well but Martin mentions he only tried
> to enforce *extra* checks. Thus it's more a matter or formulation or
> where it's placed. Please have a look at the proposal I made in this
> thread to explain that this is not exclusive to existing checks.

I think that's right.  I've attempted to paraphrase your suggestions on the pull request.
 
> > I
> > think to really address #902 then the "MAY treat non valid HTTP characters
> > as malformed" needs to at least be upgraded to a SHOULD.
> 
> I also think SHOULD is wanted.

I am thinking that neither is correct: we should assume that endpoints will apply those rules.  This is mostly about forwarding and other intermediary processing.  We should just note that those rules exist and note that they could be enforced (either additionally or instead, it doesn't matter as the effect is the same).

Received on Tuesday, 24 August 2021 01:20:34 UTC