W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CORS performance proposal

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sun, 22 Feb 2015 08:18:54 +0100
Message-ID: <CADnb78jRUMKvzqe_e-qQMiZL7NgTXmA-XrqCYKsTR9St6D5ALw@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Jonas Sicking <jonas@sicking.cc>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>
On Sat, Feb 21, 2015 at 10:17 AM, Martin Thomson
<martin.thomson@gmail.com> wrote:
> On 21 February 2015 at 20:43, Anne van Kesteren <annevk@annevk.nl> wrote:
>> High-byte of what? A URL is within ASCII range when it reaches the
>> server. This is the first time I hear of this.
> Apparently, all sorts of muck floats around the Internet.  When we did
> HTTP/2 we were forced to accept that header field values (URLs in
> particular) were a sequence of octets.  Those are often interpreted as
> strings in various interesting ways.

But in this particular case it must be the browser that generates said
muck, no? Other than Internet Explorer (and that's a couple versions
ago, so wouldn't support this protocol anyway), there's no browser
that does this as far as I know.

> I wouldn't *completely* discount the potential for the conversions
> Jonas mentions here.  A Java server might parse UTF-8 into the
> internal UTF-16 representation and then who knows what happens next.

There's no utf-8 either.

Received on Sunday, 22 February 2015 07:19:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC