On Thu, Aug 18, 2016 at 5:00 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> Just FWIW, this still is not fixed for the legacy header parser. > > It *is* now fixed for the HTTP Request Line parser. Relaxing the > whitespace rule (as we still do by default) only lets 1+ SP/HTAB > slip through, and then recomposes with single SP delimiters. > > Of the subset \f \r \v \n I can't think of any possible application. > Whitespace of ' ' and \t makes (some) sense in the real world. > If anyone has a real-world example of a user-agent which used > these legitimately, I'd love a pointer. > Committed in 1756847, either Strict or StrictWhitespace will reject these quirks, Unsafe and LenientWhitespace together are required to continue to handle such headers, and never permitted for the request line itself.
