On 2011-10-20 09:41, Mike Jones wrote:
Your proposed wording for 2.4 misses the point: \ MUST NOT occur at all in the
input string. No quoting may occur.
> ...
No, it doesn't miss the point.
You need to tell implementers whether they can use a quoted-string
processor. Those processors will accept all the values you want to
support, plus values that contain "\c" (representing "c"). Is this ok,
or are recipients supposed to reject these values?
Furthermore, it's not clear what recipients are supposed to do with
values that are not quoted, for instance for scope. The ABNF makes them
illegal, but I promise you that many recipients will accept them
nevertheless (unless you manage them to become draconian using a very
good test suite).
See <http://greenbytes.de/tech/tc/httpauth/#simplebasictok> for a test
case checking this for the realm parameter. It's already bad for many
existing headers, please let's do things right with new ones.
Best regards, Julian
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
