Re: Ambiguity about how to deal with received fragments in URI from Sean McArthur on 2023-07-27 (ietf-http-wg@w3.org from July to September 2023)

From: Sean McArthur <sean@seanmonstar.com>
Date: Thu, 27 Jul 2023 08:17:43 -0400
To: ietf-http-wg@w3.org
Message-ID: <CAHrH6bPuwtJia17+qC87nbqFDNEp+rqktq+RqLcnJ5QVDsrU0g@mail.gmail.com>

I agree the handling for a server is ambiguous. In hyper, we've just
ignored including it in `req.uri()`, so user code cannot access it. If it
were clarified in the RFC that we should reject with a 400, we could
consider making that change.

It's not infrequent that users ask to be allowed to access it, and
currently the only thing I can point them to is "the client shouldn't send
it".

On Thu, Jul 27, 2023 at 5:58 AM Mark Thomas <markt@apache.org> wrote:

> On 27/07/2023 10:05, Willy Tarreau wrote:
>
> > Thus I'd like to collect some opinions here from other implementers.
> > Are there any who reject requests containing fragments in the URI ?
>
> As of the Servlet 6.0 specification, Servlet containers are required to
> reject such requests with a 400 response so Tomcat, Jetty etc will do so.
>
> I'm not aware of any objections to this behaviour to date.
>
> Mark
>
>

Received on Thursday, 27 July 2023 12:18:10 UTC