- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Sun, 22 Feb 2015 08:18:54 +0100
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: Jonas Sicking <jonas@sicking.cc>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>
On Sat, Feb 21, 2015 at 10:17 AM, Martin Thomson <martin.thomson@gmail.com> wrote: > On 21 February 2015 at 20:43, Anne van Kesteren <annevk@annevk.nl> wrote: >> High-byte of what? A URL is within ASCII range when it reaches the >> server. This is the first time I hear of this. > > Apparently, all sorts of muck floats around the Internet. When we did > HTTP/2 we were forced to accept that header field values (URLs in > particular) were a sequence of octets. Those are often interpreted as > strings in various interesting ways. But in this particular case it must be the browser that generates said muck, no? Other than Internet Explorer (and that's a couple versions ago, so wouldn't support this protocol anyway), there's no browser that does this as far as I know. > I wouldn't *completely* discount the potential for the conversions > Jonas mentions here. A Java server might parse UTF-8 into the > internal UTF-16 representation and then who knows what happens next. There's no utf-8 either. -- https://annevankesteren.nl/
Received on Sunday, 22 February 2015 07:19:18 UTC