W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2016

Re: Quoted Referrer-Policy values

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 7 Sep 2016 17:32:42 +0200
Message-ID: <CADnb78iBTZb-5WNezYVuWsgf+0xg9QTf18tiSPpcKzBZ7Fxk-A@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "Emily Stark (Dunn)" <estark@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Francois Marier <francois@mozilla.com>, Franziskus Kiefer <fkiefer@mozilla.com>
On Wed, Sep 7, 2016 at 2:08 PM, Mike West <mkwst@google.com> wrote:
> I think the more general question is how we'd like to define header syntax
> going forward. The HTTP WG in the IETF seems less keen on JSON than I'd
> originally thought (http://httpwg.org/http-extensions/jfv.html being more of
> an indication that "Some structure would be nice!" rather than a ringing
> endorsement of JSON in and of itself). Still, my impression is that JSON is
> something that developers understand, and have lots of tooling to support.

However, JSON on the web thus far is bound to UTF-8. In HTTP you'd be
bound to code points in the range U+0000 to U+00FF, inclusive (with
some whitespace and maybe control code point exceptions, unclear). So
it's not a straightforward mapping nor could you use your normal
serialization tools, etc.

I tend to agree that HTTP should get a better story for header
parsing, but if the HTTP WG is not behind this strategy and it has
some complications, I'm not sure why we should try to push it through.

> Given that background, I'd suggest it would be prudent to define header
> syntax that's forward-compatible with structured languages like JSON.
> Quoting the referrer policy values does that pretty cleanly. I think it's
> worth making the change.

Received on Wednesday, 7 September 2016 15:33:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:57 UTC