- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 23 Feb 2015 10:59:06 -0800
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Martin Thomson <martin.thomson@gmail.com>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>
On Sat, Feb 21, 2015 at 11:18 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Sat, Feb 21, 2015 at 10:17 AM, Martin Thomson > <martin.thomson@gmail.com> wrote: >> On 21 February 2015 at 20:43, Anne van Kesteren <annevk@annevk.nl> wrote: >>> High-byte of what? A URL is within ASCII range when it reaches the >>> server. This is the first time I hear of this. >> >> Apparently, all sorts of muck floats around the Internet. When we did >> HTTP/2 we were forced to accept that header field values (URLs in >> particular) were a sequence of octets. Those are often interpreted as >> strings in various interesting ways. > > But in this particular case it must be the browser that generates said > muck, no? Other than Internet Explorer (and that's a couple versions > ago, so wouldn't support this protocol anyway), there's no browser > that does this as far as I know. All browsers support sending %xx stuff to the server. Decoding those is likely more often than not happening in a server-specific way still. Despite specs defining how they should do it. / Jonas
Received on Monday, 23 February 2015 19:00:08 UTC