On 2011-10-29 05:08, Adam Barth wrote:
...
Except for RFC6265, which in the algorithm for parsing "Max-Age=", it
algorithmically provides for ignoring a value that doesn't match the
effective value ABNF of..
["-"]*DIGIT
..which would catch the max-age="1" case, but doesn't seem to explicitly
address..
max-age=
That's handled by some more general processing rules in the spec. The
net result is that it's ignored.
But in any case, perhaps (additional) browser implementor folk could chime
in here -- do we really need to address such detail-level issues (both of
the examples above and below) in the syntax/grammar we specify in specs such
as these? Or is the new ABNF proposed in the original message in this thread
sufficient?
Generally, we prefer to be instructed exactly how to behave for every
possible input (even illegal ones). There's a long history of
quoted-string not being implemented correctly by browsers. I spec
this as just splitting the string on ; and then processing each
substring separately, ignoring bogus/future ones. I know Julian has a
dream that all HTTP headers will be parsed the same, but quoted-string
is sufficiently ill-defined w.r.t. error handling that I prefer to
avoid it.
...
- when discussing generic parsing, we need to distinguish between legacy
cases like cookies, and new headers, where we can do better
- standardizing handling of broken headers is one thing (and in general
I prefer not to), but that doesn't mean that when defining a new header
field we shouldn't minimize the things a sender can get wrong; if we
know that some recipients will accept both token and quoted-string
anyway, then it seems like a good thing to simply allow them both,
reducing the number of special-cases in parsing
- not sure what you mean by "ill-defined w.r.t. error handling"; it's
defined just like most other syntax elements in HTTP -- is there
something *specific* to quoted-string you have in mind?
Best regards, Julian
_______________________________________________
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec
