W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CORS performance proposal

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 23 Feb 2015 10:59:06 -0800
Message-ID: <CA+c2ei_vXDLYK5Z2a1hryf8fgQXLPwF-Erq_62N_D-u7OJVi-A@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Martin Thomson <martin.thomson@gmail.com>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>
On Sat, Feb 21, 2015 at 11:18 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Sat, Feb 21, 2015 at 10:17 AM, Martin Thomson
> <martin.thomson@gmail.com> wrote:
>> On 21 February 2015 at 20:43, Anne van Kesteren <annevk@annevk.nl> wrote:
>>> High-byte of what? A URL is within ASCII range when it reaches the
>>> server. This is the first time I hear of this.
>> Apparently, all sorts of muck floats around the Internet.  When we did
>> HTTP/2 we were forced to accept that header field values (URLs in
>> particular) were a sequence of octets.  Those are often interpreted as
>> strings in various interesting ways.
> But in this particular case it must be the browser that generates said
> muck, no? Other than Internet Explorer (and that's a couple versions
> ago, so wouldn't support this protocol anyway), there's no browser
> that does this as far as I know.

All browsers support sending %xx stuff to the server. Decoding those
is likely more often than not happening in a server-specific way
still. Despite specs defining how they should do it.

/ Jonas
Received on Monday, 23 February 2015 19:00:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC