IETF Logo Mail Archive

#429: Multiple header fields with the same field name - unwritten assumption about quoted commas in values?

Mark Nottingham <mnot@mnot.net> Sun, 20 January 2013 02:54 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58B2121F84EA for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 19 Jan 2013 18:54:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.185
X-Spam-Level:
X-Spam-Status: No, score=-9.185 tagged_above=-999 required=5 tests=[AWL=1.414, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fu5UfUBi+nRP for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 19 Jan 2013 18:54:45 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 6BC4F21F84E6 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sat, 19 Jan 2013 18:54:45 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Twl2z-0008A3-NM for ietf-http-wg-dist@listhub.w3.org; Sun, 20 Jan 2013 02:54:13 +0000
Resent-Date: Sun, 20 Jan 2013 02:54:13 +0000
Resent-Message-Id: <E1Twl2z-0008A3-NM@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1Twl2u-00089O-Lv for ietf-http-wg@listhub.w3.org; Sun, 20 Jan 2013 02:54:08 +0000
Received: from mxout-07.mxes.net ([216.86.168.182]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1Twl2t-0005v4-No for ietf-http-wg@w3.org; Sun, 20 Jan 2013 02:54:08 +0000
Received: from [192.168.1.80] (unknown [118.209.240.13]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 21D4722E1F3; Sat, 19 Jan 2013 21:53:42 -0500 (EST)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <CACuKZqH226evA0v26aop5oXtbjm8m=ePFip=1roJmrA3tygrGg@mail.gmail.com>
Date: Sun, 20 Jan 2013 13:53:39 +1100
Cc: Willy Tarreau <w@1wt.eu>, "Roy T. Fielding" <fielding@gbiv.com>, Nico Williams <nico@cryptonector.com>, Karl Dubost <karld@opera.com>, Julian Reschke <julian.reschke@gmx.de>, Piotr Dobrogost <p@ietf.dobrogost.net>, ietf-http-wg@w3.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <CA0A2954-F3D6-4255-A38F-3BD5D7E0FE0C@mnot.net>
References: <BD31B7FE-1CB4-48AD-A119-37A3509EF8E9@opera.com> <6D9EA8FA-50A6-44B1-A2EF-BB428E94183C@mnot.net> <CAK3OfOj8G3gFbTK_vPSnjS0qij+SUB3t9CdG80FYW5tbGgKR3A@mail.gmail.com> <C6A43E78-4F94-4FE3-A049-678555896FEC@mnot.net> <CAK3OfOiS1UPqvsk5H8RWUKyw8MB=uykeMkXzZoffm6732=UjMg@mail.gmail.com> <86DE887E-B189-40D2-A867-C81CFB0434AB@mnot.net> <CAK3OfOiWzJqHr8VSzn6WFcWRGJEr59XiUyh+wGTDnf1ydVL=3g@mail.gmail.com> <1390897A-59CF-451B-B3CD-BB39906BDACD@mnot.net> <CAK3OfOg17M3LTPwFJXFuHrq4AZh505hq27xoeVwJsPTvA7_3aw@mail.gmail.com> <A9D632AF-448F-4B5A-B3A0-33CF9BFDC3B4@gbiv.com> <20130116065254.GA12426@1wt.eu> <CACuKZqH226evA0v26aop5oXtbjm8m=ePFip=1roJmrA3tygrGg@mail.gmail.com>
To: Zhong Yu <zhong.j.yu@gmail.com>
X-Mailer: Apple Mail (2.1499)
Received-SPF: pass client-ip=216.86.168.182; envelope-from=mnot@mnot.net; helo=mxout-07.mxes.net
X-W3C-Hub-Spam-Status: No, score=-4.2
X-W3C-Hub-Spam-Report: AWL=-2.298, BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1Twl2t-0005v4-No 1d601a5c920be1996b0c6bf1a8991f64
X-Original-To: ietf-http-wg@w3.org
Subject: #429: Multiple header fields with the same field name - unwritten assumption about quoted commas in values?
Archived-At: <http://www.w3.org/mid/CA0A2954-F3D6-4255-A38F-3BD5D7E0FE0C@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/16035
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Now <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/429>.


On 17/01/2013, at 5:32 AM, Zhong Yu <zhong.j.yu@gmail.com> wrote:

> On Wed, Jan 16, 2013 at 12:52 AM, Willy Tarreau <w@1wt.eu> wrote:
>> On Tue, Jan 15, 2013 at 05:12:51PM -0800, Roy T. Fielding wrote:
>>> On Jan 15, 2013, at 4:07 PM, Nico Williams wrote:
>>> 
>>>> On Tue, Jan 15, 2013 at 6:01 PM, Mark Nottingham <mnot@mnot.net> wrote:
>>>>> On 16/01/2013, at 10:57 AM, Nico Williams <nico@cryptonector.com> wrote:
>>>>>> No.  I'm saying that it's OK for apps to do that but not any other
>>>>>> entities (middleboxes), mostly because middleboxes can't possibly know
>>>>>> about headers that hadn't been registered when they were implemented.
>>>>> 
>>>>> OK. Is this an actual problem you've encountered?
>>>>> 
>>>>> I'm fine with adding some clarifying text if it helps implementers, but I haven't seen this confusing any middlebox vendors; they tend to leave the bits alone...
>>>> 
>>>> I noticed Poul's and someone else's replies that in their middlebox
>>>> implementations they concluded that it's never safe to merge headers.
>>>> If that's the case (and I do think it follows from the facts that it
>>>> is the case) then we should say so rather than leave each implementor
>>>> to figure this out on their own.
>>> 
>>> The requirement is on generating headers, so it does not concern
>>> middlebox vendors other than for the fields that they add to a message.
>>> 
>>> Apache httpd merges header fields as they are read from the network.
>>> So does any correctly written client that reads internet message format
>>> (like all of the common MIME and libwww libraries).  If you want to
>>> interoperate on the Web, field generators must obey that requirement.
>> 
>> Roy, you're totally right here. If Apache merges multiple instances of
>> a header, it is because the client did so, and as per the spec, it was
>> allowed to do so because the headers were mergeable.
>> 
>> However I've seen some corner cases caused by applications (not middleboxes)
>> sometimes adding a header that was already present and not mergeable (eg:
>> the Date or Location header). I know that Apache has a special handling of
> 
> If different applications interpret duplicate headers differently, we
> have a serious problem
> 
>    Location: http://abc.com
>    Location: http://xyz.com
> 
> Some chooses the 1st one, some chooses the 2nd one, and some may see
> the merged `http://abc.com,http://xyz.com` (a valid URI)
> 
> We probably should require that an application either reject the
> message, or merge the header first if it wants to parse the header.
> 
> Zhong Yu
> 
>> the Set-Cookie header, I don't know if it does so for other well-known
>> non-mergeable headers which are supposed to contain commas.
>> 
>> Due to this mess caused by bogus applications, I finally decided that I
>> won't merge headers in haproxy, I didn't want to start dealing with a list
>> of exceptions. And I think it's the same reasoning for Poul Henning.
>> 
>> That said, I disagree with having the spec declare Apache non-compliant,
>> as it is doing the correct job in my opinion, as long as clients are
>> compliant.
>> 
>> But probably we could discourage future middlebox implementors from merging,
>> by making them aware of the difficulty of doing it right. This would just be
>> a non-normative warning then.
>> 
>> Willy
>> 
>> 
> 

--
Mark Nottingham   http://www.mnot.net/

v2.23.0 | Report a Bug | By Email