On Mon, Sep 12, 2016 at 9:19 PM, Eric Covener <cove...@gmail.com> wrote:
> On Mon, Sep 12, 2016 at 5:38 PM, William A Rowe Jr <wr...@rowe-clan.net> > wrote: > > It really seems that if a major client is not handling "|" correctly, we > > need to carve out an exception, > > +1 to allow it. > > For others who might hit a maze of closed/duped bug reports this one > is active this year: > https://bugzilla.mozilla.org/show_bug.cgi?id=1064700 > Makes for some disturbing reading... the amount of misinformation is truly mind-boggling (especially if you chase down the other reports.) Their aspirational goal of duplicating the mistakes of other the clients speaks for the wider UA community... sigh. Firefox since 'uncorrected' their originally correct handling of '[' and ']' to be equally out-of-spec. But it leads to a very thorough survey of the queryargs behavior of the major browser families which is worth reviewing; https://bugzilla.mozilla.org/show_bug.cgi?id=1152455#c6 Based on the complete mess which is queryarg behavior from all of the browser families (my interrogations didn't cover this)... it appears that we cannot reject any of the 'unwise'/'unsafe' set without causing major headaches: hex 22 3C 3E 5B 5C 5D 5E 60 7B 7C 7D char " < > [ \ ] ^ ` { | } Chrome path % % % . . . % % % % % +Opera query % % % . . . . . . . . IE path % % % . . . % % % % % query . . . . . . . . . . . Firefox path % % % % % % % % % . % query % % % . . . . % . . . Safari path % % % . . . . . . . . query % % % . . . . . . . . So I will add the entire unwise (and unmentioned, in RFC3986) set to our URI validator. I don't particularly want to create some middle tier 'mostly safe but unwise chars accepted' configuration option. Internally httpd will reassemble these in the path segment, correctly encoded per spec for Location: and back-end URI's. Because httpd often does not decode/encode the user-provided queryargs, it will generally pass these back or along as submitted by the client.