W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2021

Re: More on allowed field characters

From: Willy Tarreau <w@1wt.eu>
Date: Fri, 27 Aug 2021 07:20:19 +0200
To: Greg Wilkins <gregw@webtide.com>
Cc: Martin Thomson <mt@lowentropy.net>, Roy Fielding <fielding@gbiv.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20210827052018.GA26079@1wt.eu>
On Fri, Aug 27, 2021 at 01:42:10PM +1000, Greg Wilkins wrote:
> Martin, Roy,
> 
> How about the latest text is augmented to say something like:
> 
> The HPACK is able to transport characters that are not valid HTTP and as
> such HTTP/2 implementations may be used for
> non-HTTP semantic transport.  HTTP/2 implementations that are used to
> represent HTTP semantics MUST validate field
> names and values according to their definitions in Sections <xref
> target="HTTP" section="5.1" format="counter"/>
> 
> 
> I.e make it really clear that when HTTP/2 impl is being used with the core
> HTTP spec then it MUST comply with that spec.  If it is transporting
> non-HTTP compliant headers, then it make it clear it is not representing
> HTTP semantics.

I think it's roughly the same as what is already there, but I'm fine
with this. However I really want that we keep the extra caution about
the risk of failing to filter out CR/LF/COLON from these fields by
reusing known valid code which was not subject to this before H2, and
that we add the caution on what must absolutely be filtered out of
pseudo-header fields before reassembling them.

Willy
Received on Friday, 27 August 2021 05:20:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 27 August 2021 05:20:48 UTC