On 8/24/2011 6:43 PM, Roy T. Fielding wrote: > On Aug 24, 2011, at 4:39 PM, William A. Rowe Jr. wrote: > >> On 8/24/2011 4:54 PM, Roy T. Fielding wrote: >>> On Aug 24, 2011, at 1:56 PM, Roy T. Fielding wrote: >>>> To be clear, I am more than willing to rewrite the part on >>>> Ranges such that the above is explicitly forbidden in HTTP. >>>> I am not sure what the WG would agree to, but I am quite certain >>>> that part of the reason we have an Apache server is to protect >>>> the Internet from idiotic ideas like the above. >>> >>> http://trac.tools.ietf.org/wg/httpbis/trac/ticket/311 >> >> Excellent, thanks. Just curious, isn't this clarification outside of >> the remit of 2616bis? > > Security repairs are never out of scope.
Ack. So, I suspect the best we can do today, 4 days later, is to implement Roy's draft [link] as the POC/reference implementation and work with the rest of the http server community to ensure it is the right solution. I suggest we publish this as a patch, /not/ as a release, until we find just a bit more buy-in from the other implementors. Bill
