IETF Logo Mail Archive

Re: #429: Multiple header fields with the same field name - unwritten assumption about quoted commas in values?

Mark Nottingham <mnot@mnot.net> Mon, 21 January 2013 00:19 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A715A21F8765 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 20 Jan 2013 16:19:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.94
X-Spam-Level:
X-Spam-Status: No, score=-7.94 tagged_above=-999 required=5 tests=[AWL=0.060, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 37FuB64acIVr for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 20 Jan 2013 16:19:41 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 078A321F869C for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 20 Jan 2013 16:18:56 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Tx55C-0001HI-1E for ietf-http-wg-dist@listhub.w3.org; Mon, 21 Jan 2013 00:17:50 +0000
Resent-Date: Mon, 21 Jan 2013 00:17:50 +0000
Resent-Message-Id: <E1Tx55C-0001HI-1E@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1Tx555-0001Ep-Dg for ietf-http-wg@listhub.w3.org; Mon, 21 Jan 2013 00:17:43 +0000
Received: from mxout-07.mxes.net ([216.86.168.182]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1Tx554-0001dI-JC for ietf-http-wg@w3.org; Mon, 21 Jan 2013 00:17:43 +0000
Received: from mnot-mini.mnot.net (unknown [118.209.240.13]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 0F0BA22E1FA; Sun, 20 Jan 2013 19:17:17 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <20130120071517.GG6838@1wt.eu>
Date: Mon, 21 Jan 2013 11:17:14 +1100
Cc: Zhong Yu <zhong.j.yu@gmail.com>, "Roy T. Fielding" <fielding@gbiv.com>, Nico Williams <nico@cryptonector.com>, Karl Dubost <karld@opera.com>, Julian Reschke <julian.reschke@gmx.de>, Piotr Dobrogost <p@ietf.dobrogost.net>, ietf-http-wg@w3.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <742F7073-42A1-44BC-9889-75E33115F84C@mnot.net>
References: <C6A43E78-4F94-4FE3-A049-678555896FEC@mnot.net> <CAK3OfOiS1UPqvsk5H8RWUKyw8MB=uykeMkXzZoffm6732=UjMg@mail.gmail.com> <86DE887E-B189-40D2-A867-C81CFB0434AB@mnot.net> <CAK3OfOiWzJqHr8VSzn6WFcWRGJEr59XiUyh+wGTDnf1ydVL=3g@mail.gmail.com> <1390897A-59CF-451B-B3CD-BB39906BDACD@mnot.net> <CAK3OfOg17M3LTPwFJXFuHrq4AZh505hq27xoeVwJsPTvA7_3aw@mail.gmail.com> <A9D632AF-448F-4B5A-B3A0-33CF9BFDC3B4@gbiv.com> <20130116065254.GA12426@1wt.eu> <CACuKZqH226evA0v26aop5oXtbjm8m=ePFip=1roJmrA3tygrGg@mail.gmail.com> <CA0A2954-F3D6-4255-A38F-3BD5D7E0FE0C@mnot.net> <20130120071517.GG6838@1wt.eu>
To: Willy Tarreau <w@1wt.eu>
X-Mailer: Apple Mail (2.1499)
Received-SPF: pass client-ip=216.86.168.182; envelope-from=mnot@mnot.net; helo=mxout-07.mxes.net
X-W3C-Hub-Spam-Status: No, score=-4.2
X-W3C-Hub-Spam-Report: AWL=-2.255, BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1Tx554-0001dI-JC 1c05fd6b7070debf8799715a2c5fb077
X-Original-To: ietf-http-wg@w3.org
Subject: Re: #429: Multiple header fields with the same field name - unwritten assumption about quoted commas in values?
Archived-At: <http://www.w3.org/mid/742F7073-42A1-44BC-9889-75E33115F84C@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/16067
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 20/01/2013, at 6:15 PM, Willy Tarreau <w@1wt.eu> wrote:

> Hi Mark,
> 
> On Sun, Jan 20, 2013 at 01:53:39PM +1100, Mark Nottingham wrote:
>> Now <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/429>.
> 
> Quite frankly, I'd prefer to stay on Roy's side which consists in saying
> that when a compliant message is passed to an intermediary, the output is
> a compliant message, and when a non-compliant message is passed, the
> output is indetermined.
> 
> Otherwise we'll have to document all possible corner cases, which will
> result in even worse implementations givent that we won't be exhaustive.
> 
> Probably that all the trouble comes from the obligations made to senders,
> with senders sometimes being intermediaries. I've been bothered by this
> in the past. So the point above at least would solve the issue for them :
> they have to emit clean things but if they forward stupid things, well,
> it's the other side's fault.


I know, and agree with the spirit of what you're saying. 

Digging around, it's gratifying to see that we already cover this somewhat in [1]:

> Whether the field is a single value, or whether it can be a list (delimited by commas; see Section 3.2 of [Part1]).
> 
> If it does not use the list syntax, document how to treat messages where the field occurs multiple times (a sensible default would be to ignore the field, but this might not always be the right choice).
> 
> Note that intermediaries and software libraries might combine multiple header field instances into a single one, despite the field's definition not allowing the list syntax. A robust format enables recipients to discover these situations (good example: "Content-Type", as the comma can only appear inside quoted strings; bad example: "Location", as a comma can occur inside a URI).

I think the remaining questions are:

 - Is it necessary to say anything regarding Location? The security aspect here is pretty limited, AFAICT; while it can certainly cause interop problems (the easy answer to which is "don't do that"), I don't see how it's useful to say anything about the security risks, because if an attacker can insert a new Location header in your response, they can do pretty much anything else they want too... And, unlike Content-Length (where we *have* said something), it doesn't affect framing.

 - Are there any other headers that we define where something should be said? I think we've already reviewed and said no. Anyone?

So, absent any further discussion, I'll close the issue.

Cheers,


1. https://svn.tools.ietf.org/svn/wg/httpbis/draft-ietf-httpbis/latest/p2-semantics.html#considerations.for.new.header.fields

--
Mark Nottingham   http://www.mnot.net/

v2.23.0 | Report a Bug | By Email