- From: Andreu Botella <notifications@github.com>
- Date: Wed, 15 Apr 2026 03:52:25 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1922/review/4112883707@github.com>
@andreubotella commented on this pull request.
> +
+<p>A <dfn export for="multipart/form-data" lt="boundary"><code>multipart/form-data</code>
+boundary</dfn> is a <a for=/>byte sequence</a> such that:
+
+<ul>
+ <li><p>its length is greater than 26 and less than 71, and
+
+ <li><p>it is composed by bytes in the ranges 0x30 to 0x39, 0x41 to 0x5A, or 0x61 to 0x7A,
+ inclusive (<a>ASCII alphanumeric</a>), or which are 0x27 ('), 0x2D (-) or 0x5F (_).
+</ul>
+
+<div algorithm>
+<p>To <dfn export for="multipart/form-data/boundary">generate</dfn> a
+<a for="multipart/form-data" lt="boundary"><code>multipart/form-data</code> boundary</a>, return an
+<a>implementation-defined</a> <a for=/>byte sequence</a> which fulfills the conditions for
+boundaries, such that part of it is randomly generated, with a minimum entropy of 95 bits.
This was based on my analysis which IIRC concluded that Chromium/WebKit's boundary had exactly 95 bits of entropy, and that Gecko's was probably close to but less than 96 bits. But I see that at least Gecko has changed its boundary string generation now, and I'm not sure where it stands.
Do we want to spec something here that aligns with current implementations, or do we want to change this to some round number that makes sense (e.g. 32 * 3 = 96 bits would be easy to implement), and make implementations match?
--
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1922#pullrequestreview-4112883707
You are receiving this because you are subscribed to this thread.
Message ID: <whatwg/fetch/pull/1922/review/4112883707@github.com>
Received on Wednesday, 15 April 2026 10:52:30 UTC