IETF Logo Mail Archive

Re: Call for Adoption: draft-reschke-rfc54987bis

Willy Tarreau <w@1wt.eu> Wed, 01 April 2015 19:53 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B97A31A9044 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 1 Apr 2015 12:53:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eL6hTmQBoeIx for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 1 Apr 2015 12:53:28 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D00C1A8FD5 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 1 Apr 2015 12:53:28 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1YdOez-0004EO-6r for ietf-http-wg-dist@listhub.w3.org; Wed, 01 Apr 2015 19:50:45 +0000
Resent-Date: Wed, 01 Apr 2015 19:50:45 +0000
Resent-Message-Id: <E1YdOez-0004EO-6r@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <w@1wt.eu>) id 1YdOex-0004Dc-2t for ietf-http-wg@listhub.w3.org; Wed, 01 Apr 2015 19:50:43 +0000
Received: from wtarreau.pck.nerim.net ([62.212.114.60] helo=1wt.eu) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1YdOew-0007r5-4T for ietf-http-wg@w3.org; Wed, 01 Apr 2015 19:50:43 +0000
Received: (from willy@localhost) by pcw.home.local (8.14.3/8.14.3/Submit) id t31JoHLH008026; Wed, 1 Apr 2015 21:50:17 +0200
Date: Wed, 01 Apr 2015 21:50:17 +0200
From: Willy Tarreau <w@1wt.eu>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20150401195017.GA8021@1wt.eu>
References: <1C7436D4-D1EF-454C-BC14-E8C00165AA2E@mnot.net> <20150331054245.GB7069@1wt.eu> <551BA8A3.2030505@gmx.de> <20150401191930.GB8013@1wt.eu> <551C4AAD.60505@gmx.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <551C4AAD.60505@gmx.de>
User-Agent: Mutt/1.4.2.3i
Received-SPF: pass client-ip=62.212.114.60; envelope-from=w@1wt.eu; helo=1wt.eu
X-W3C-Hub-Spam-Status: No, score=-5.0
X-W3C-Hub-Spam-Report: AWL=-1.068, BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1YdOew-0007r5-4T 036204424e5e282608cf9886cd214703
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Call for Adoption: draft-reschke-rfc54987bis
Archived-At: <http://www.w3.org/mid/20150401195017.GA8021@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29194
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Wed, Apr 01, 2015 at 09:44:45PM +0200, Julian Reschke wrote:
> >>b) How do you want to signal an error on a *response*?
> >
> >Good point. In haproxy we return a 502 bad gateway when the server
> >returns something unparsable. Only the client receives it and (in
> >rare occasions) reports it.
> 
> For Content-Disposition, this would likely break things that "work" 
> today (for some value of "work").

Yes I understand after seeing the RFC6266 you pointed.

> >>>Also, I'd prefer to make it explicitly forbidden to %-encode US-ASCII
> >>>characters because this could be used to bypass some WAFs for example :
> >>>if it is detected that a server implements this standard and is able
> >>>to %-decode some attributes in header fields, and a WAF in the middle
> >>>does not, the client can abuse the %-encoding to try to hide some
> >>>activities.
> >>
> >>Yes, that's the case right now. I'd argue that the spec has been out for
> >>ages, so the intermediary ought to be fixed.
> >
> >I had never heard about %-encoding in header fields to be honnest,
> >and I don't know which servers or intermediaries decode them given
> >that unless I'm mistaken, "%" is a valid character in a header field
> >and doesn't imply %-encoding.
> 
> You may want to re-read the spec. It only applies to specific parameter 
> names ending in "*".

I didn't understand that "*" was part of the name but I understood it
as one delimiter to indicate an alternate encoding. Thus I agree that
it is different and limited in scope because it implies that the other
end has to explicitly consume thus name.

(...)
> >>For instance,
> >>RFC 6266 discusses these constraints for the filename parameter.
> >
> >Indeed, I wasn't aware of this. And it uses the same syntax as in
> >your proposal.
> 
> It uses the encoding defined in RFC 5987, and that's the spec we would 
> be revising here.

Thanks for the explanations. I'd say I don't like much what it looks
like, but if you're reusing something that was already in use, at
least it's better than having to support another extra special case.

Thanks,
Willy

v2.23.0 | Report a Bug | By Email