On Wed, Feb 4, 2015 at 8:24 AM, Stanislav Malyshev <smalys...@gmail.com> wrote:
> Hi! > > Our header() function supports multiline HTTP headers, which are allowed > by RFC 2616. However, newer RFC - > https://tools.ietf.org/html/rfc7230#section-3.2.4 - deprecates them and > says: > > Historically, HTTP header field values could be extended over > multiple lines by preceding each extra line with at least one space > or horizontal tab (obs-fold). This specification deprecates such > line folding except within the message/http media type > (Section 8.3.1). A sender MUST NOT generate a message that includes > line folding (i.e., that has any field-value that contains a match to > the obs-fold rule) unless the message is intended for packaging > within the message/http media type. > > So, my question is - any objections for dropping this functionality? I'd > be inclined to drop it in all versions from 5.4 up since it may still be > confusing some not too smart clients that don't implement full spec, and > frankly to me it doesn't seem of any use anyhow, but if you disagree, > please explain. > I'm +1 on dropping this. IIRC IE does not (or at least did not) support this as well, so our header injection protection is broken for users of IE. Nikita
