On Fri, Mar 16, 2018 at 11:50:17AM +0100, Luca Toscano wrote: > From my point of view, adding a comment nearby a directive (except in some > cases like you explained above) should be totally safe and transparent to > the user. I haven't ever thought about the possibility that having a inline > comment could be dangerous, and in my opinion we should enforce this vision > and explicitly document when it is not possible it and why. > > The above is my naive view though (after working on this project for a very > short time) so I'd really like to know what's your angle about not > encouraging inline comments (pretty sure that there are use cases that I > didn't think of, and that might be good to be documented).
I'd be fine with making in-line comments 100% safe (stripped) everywhere. I'd think I'd also be fine with making inline comments a config error in all cases, or increasing the X% of cases where that's an error already. I'm not happy about increasing (but to still below 100%) the places where comments are silently stripped, leaving the remaining places where comments might be a security issue (as in Require host foo#bar). I'm worried this will *increase* the risk of security issues as users become accustomed to using in-line comments. Regards, Joe
