Re: [CSP] URI/IRI normalization and comparison

Anne van Kesteren <> wrote:
> On Mon, Nov 10, 2014 at 2:18 AM, Brian Smith <> wrote:
>> Header encoding is defined in the HTTP specification. Also, there are
>> about 3 million emails on the HTTP WG mailing list about this topic.
> As far as I know that's false. Legacy headers are decoded per
> "original latin1". For new headers you need to specify it. Of course,
> that completely fails with generic APIs, I'm not sure if they
> considered that.

I think you may be looking at the obsolete version of the spec (RFC
2616). This was fixed (not as completely as I would like) in the new
version (RFC 7230).

   A recipient MUST parse an HTTP message as a sequence of octets in an
   encoding that is a superset of US-ASCII [USASCII].  Parsing an HTTP
   message as a stream of Unicode characters, without regard for the
   specific encoding, creates security vulnerabilities due to the
   varying ways that string processing libraries handle invalid
   multibyte character sequences that contain the octet LF (%x0A).

   Historically, HTTP has allowed field content with text in the
   ISO-8859-1 charset [ISO-8859-1], supporting other charsets only
   through use of [RFC2047] encoding.  In practice, most HTTP header
   field values use only a subset of the US-ASCII charset [USASCII].
   Newly defined header fields SHOULD limit their field values to
   US-ASCII octets.  A recipient SHOULD treat other octets in field
   content (obs-text) as opaque data.


Received on Tuesday, 11 November 2014 22:37:08 UTC