- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 13 Apr 2023 07:46:17 +0200
- To: ietf-http-wg@w3.org
On 12.04.2023 22:33, Justin Richer wrote: > I’ve put together a PR that should hopefully address the last few > problems with encodings in signatures for both query parameters and > header fields: > > https://github.com/httpwg/http-extensions/pull/2505 > <https://github.com/httpwg/http-extensions/pull/2505> (see feedback over there) > This does have a breaking change in how “@query-param” is handled, based > on potential issues with the value of the decoded query parameter from > the HTML URL specification > (https://url.spec.whatwg.org/#urlencoded-serializing > <https://url.spec.whatwg.org/#urlencoded-serializing>). Namely, it could > include newlines. Instead of trying to use binary-wrapping or some other > trick, I’m proposing we just lean on the existing percent-encoding that > HTML URL spec includes. This also helps with systems that decode “+” and > “%20” as a space, and could give verifiers headaches when dealing with > the decoded value. Just to clarify: this will treat "%20", "+", and " " (although illegal in a query) the same way, just as browsers do. > The PR includes additional examples of these cases. > > Even though this is a breaking change, the editors believe that this is > a bug-fix type of change that affects a very small portion of users of > this feature, and so do not suggest that the document be returned to > WGLC. We’d appreciate some feedback to this new method. > > — Justin Best regards, Julian
Received on Thursday, 13 April 2023 05:46:24 UTC