Invalid Characters in URLs from Ryan Hamilton on 2024-09-19 (ietf-http-wg@w3.org from July to September 2024)

From: Ryan Hamilton <rch@google.com>
Date: Thu, 19 Sep 2024 13:08:46 -0700
To: HTTP Working Group <ietf-http-wg@w3.org>
Cc: Biren Roy <birenroy@google.com>
Message-ID: <CAJ_4DfTw6rEAPYuesR42-rdZ4Hh2qv06XaMbRuhZRSiLqB7SRQ@mail.gmail.com>

Howdy Folks,

We've been doing some work lately to tighten up our HTTP spec compliance,
specifically around invalid characters in URLs
<https://quiche.googlesource.com/quiche/+/4249f8025caed1e3d71d04d9cadf42251acb7cac/quiche/balsa/header_properties.h#54>.
Perhaps not surprisingly, we've seen many request which include one or more
of the following character, which are prohibited by RFC 3986: *[]{}|^*

Presumably other implementers see this as well? RFC 3986 came out in 2005
and I suspect the web has evolved significantly since then. In much the
same way the WG is addressing the issue of invalid characters in Cookies as
part of rfc6265bis, is there any appetite in the WG for addressing the
issue of invalid characters in URLs?

Cheers,

Ryan

Received on Thursday, 19 September 2024 20:09:04 UTC