- From: Willy Tarreau <w@1wt.eu>
- Date: Fri, 27 Aug 2021 07:20:19 +0200
- To: Greg Wilkins <gregw@webtide.com>
- Cc: Martin Thomson <mt@lowentropy.net>, Roy Fielding <fielding@gbiv.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Fri, Aug 27, 2021 at 01:42:10PM +1000, Greg Wilkins wrote: > Martin, Roy, > > How about the latest text is augmented to say something like: > > The HPACK is able to transport characters that are not valid HTTP and as > such HTTP/2 implementations may be used for > non-HTTP semantic transport. HTTP/2 implementations that are used to > represent HTTP semantics MUST validate field > names and values according to their definitions in Sections <xref > target="HTTP" section="5.1" format="counter"/> > > > I.e make it really clear that when HTTP/2 impl is being used with the core > HTTP spec then it MUST comply with that spec. If it is transporting > non-HTTP compliant headers, then it make it clear it is not representing > HTTP semantics. I think it's roughly the same as what is already there, but I'm fine with this. However I really want that we keep the extra caution about the risk of failing to filter out CR/LF/COLON from these fields by reusing known valid code which was not subject to this before H2, and that we add the caution on what must absolutely be filtered out of pseudo-header fields before reassembling them. Willy
Received on Friday, 27 August 2021 05:20:45 UTC