Hello websec fellows,
<hat="chair>
as it seems there is disagreement on how to resolve this, with only very
few people having spoken out so far, I would like to invite comments
from other working group members on this topic to see whether we might
have missed something.
Best regards, Tobias
On 30/12/11 18:37, Adam Barth wrote:
It seems we're not in agreement. We can repeat the same arguments
over and over again, but it's not clear that would be productive.
Adam
On Fri, Dec 30, 2011 at 2:00 AM, Julian Reschke<[email protected]> wrote:
On 2011-12-30 10:13, Adam Barth wrote:
Using quoted-string in the extension directive is the wrong thing to
do. Because none of the actual directives use quoted-string, folks
are likely to write parsers that don't handle all the complexities of
quoted-string (which are legion). That means when we go to actually
use quoted-string in a future directive, it won't actually work in
many user agents.
Unless we clarify the syntax, allow q-s everywhere, and have test cases.
On the other hand, if we spec the extension directives without
quoted-string, future extensions will work even if folks mistakenly
implement quote-string (because DQUOTE is forbidden in the extension
syntax I suggested above, so we'll never trigger the mistaken
quoted-string parsing code). Everyone lives a happy life.
Absolutely not.
First of all, some implementations will parse q-s, because that's consistent
with other header fields. Also, not having q-s makes certain values
impossible to send, in which case you'll need to invent yet another escaping
syntax.
Anyway, it's all somewhat of a moot point because the above will
happen regardless of what we write in the spec. Even if we write
quoted-string, when folks attempt to use these extension directives in
the future, they'll find that they don't work and they'll update the
syntax not to use quoted-string.
Why would they find that? Implementations can be fixed.
Or is this argument based on the fact that you *currently* "own" one
implementation and claim it can't be fixed? That would be a very strange
thing to do in the context of an IETF WG trying to reach consensus.
Best regards, Julian
PS: I note that we are in violent agreement that the syntax should be the
same for all directives, predefined or extension. We just come to different
conclusions about what that syntax should be.
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
