- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 7 Sep 2016 18:26:15 +0200
- To: Mike West <mkwst@google.com>
- Cc: "Emily Stark (Dunn)" <estark@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Francois Marier <francois@mozilla.com>, Franziskus Kiefer <fkiefer@mozilla.com>
On Wed, Sep 7, 2016 at 5:59 PM, Mike West <mkwst@google.com> wrote: > 1. We're defining more headers than anyone else at the moment, so we should > probably have an opinion. Yeah, I don't think we can do it in isolation though. We should also figure out the parsing for existing headers and figure out some kind of holistic strategy. Just using JSON for headers we add (but not necessarily all, unless you have a plan for catching all new headers that get into browsers) might help, but unless there's agreement we can never get to the point where all existing headers are in some safelist and everything new gets parsed as JSON. > 2. Quoting things is fairly agnostic; it leaves room for a number of more > structure options that barewords don't. It's also super low-cost. Seems like > a reasonable baby step. Is quoted-string in HTTP case-insensitive? This probably shouldn't be if we want actual JSON. -- https://annevankesteren.nl/
Received on Wednesday, 7 September 2016 16:26:42 UTC