Re: Invalid Characters in URLs from Lucas Pardue on 2024-09-19 (ietf-http-wg@w3.org from July to September 2024)

From: Lucas Pardue <lucas@lucaspardue.com>
Date: Thu, 19 Sep 2024 21:34:08 +0100
To: "Ryan Hamilton" <rch@google.com>, "HTTP Working Group" <ietf-http-wg@w3.org>
Cc: "Biren Roy" <birenroy@google.com>
Message-Id: <c87e873f-26a9-4094-bb61-24b43d6ecc48@app.fastmail.com>

On Thu, Sep 19, 2024, at 21:08, Ryan Hamilton wrote:
> Howdy Folks,
> 
> We've been doing some work lately to tighten up our HTTP spec compliance, specifically around invalid characters in URLs <https://quiche.googlesource.com/quiche/+/4249f8025caed1e3d71d04d9cadf42251acb7cac/quiche/balsa/header_properties.h#54>. Perhaps not surprisingly, we've seen many request which include one or more of the following character, which are prohibited by RFC 3986: *[]{}|^*
> 
> Presumably other implementers see this as well? RFC 3986 came out in 2005 and I suspect the web has evolved significantly since then. In much the same way the WG is addressing the issue of invalid characters in Cookies as part of rfc6265bis, is there any appetite in the WG for addressing the issue of invalid characters in URLs?
> 
> Cheers,
> Ryan

FWIW I can't see anything about "{" or "}" in RFC 3986 itself. While it obsoletes RFC 2396, which did mention those two, I'm not really sure what the current truth is meant to be :-)

Received on Thursday, 19 September 2024 20:34:34 UTC