Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Valid response header names and values #26

Open
glassfishrobot opened this issue Oct 7, 2011 · 9 comments
Open

Valid response header names and values #26

glassfishrobot opened this issue Oct 7, 2011 · 9 comments
Labels
Enhancement New feature or request

Comments

@glassfishrobot
Copy link

Currently no validation is required when setting a response HTTP header or value. Should the specification require that invalid values are rejected? Should the specification provide a mechanism for escaping header names and values? What about values that cannot be escaped such as UTF-8 values?
@glassfishrobot
Copy link
Author

@glassfishrobot Commented
Reported by markt_asf

@glassfishrobot
Copy link
Author

@glassfishrobot Commented
@shingwaichan said:
Adding it to the bucket of FUTURE_RELEASE

@glassfishrobot
Copy link
Author

@glassfishrobot Commented
markt_asf said:
My own view is that invalid headers names and/or values should be rejected with an IllegalArgumentException.

@glassfishrobot
Copy link
Author

@glassfishrobot Commented
gregwilkins said:
I'm fine with ISE being thrown, but I think the spec cannot define what is or is not a valid header name. That will be determined by the underlying transport and level of RFC implementation. So I think these methods MAY throw rather than MUST throw.

@glassfishrobot
Copy link
Author

@glassfishrobot Commented
@shingwaichan said:
I agree that Servlet spec cannot define what valid header names are as they defined by RFCs, etc. And there may be new RFCs in the future. So, the method may throw IllegalArgumentException seems to be better.

@glassfishrobot
Copy link
Author

@glassfishrobot Commented
This issue was imported from java.net JIRA SERVLET_SPEC-26

@glassfishrobot
Copy link
Author

@markt-asf
Copy link
Contributor

Thinking specifically about HTTP header values:

From the HTTP spec:

Historically, HTTP has allowed field content with text in the
ISO-8859-1 charset [ISO-8859-1], supporting other charsets only
through use of [RFC2047] encoding. In practice, most HTTP header
field values use only a subset of the US-ASCII charset [USASCII].
Newly defined header fields SHOULD limit their field values to
US-ASCII octets. A recipient SHOULD treat other octets in field
content (obs-text) as opaque data.

How do we expose that opaque data to applications? getHeaderAsBytes(String headerName) ? Are different encodings used often enough to justify a getHeader(String headerName, Charset encoding) method?

@gregw
Copy link
Contributor

gregw commented Oct 4, 2018

I'm very cautious about going outside of the recommendation to limit header fields to US-ASCII.
Allowing arbitrary bytes via arbitrary charset encodings is going to challenge containers to keep responses legal and avoid smuggling attacks. We don't want servlet engines to become attack vectors against poorly written clients.

I have seen zero demand for arbitrary opaque bytes, as only the occasional usage of 8859-1 or question about utf-8.

@gregw gregw added Enhancement New feature or request and removed Component: HTTP labels Jan 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gregw @markt-asf @glassfishrobot