On 2013-10-28 17:55, S Moonesamy wrote:
Hello,
While I was reviewing other drafts in the set I noticed that Section
3.2.4 of draft-ietf-httpbis-p1-messaging-24 has the following:
"Historically, HTTP header field values could be extended over
multiple lines by preceding each extra line with at least one space
or horizontal tab (obs-fold). This specification deprecates such
line folding except within the message/http media type
(Section 8.3.1). A sender MUST NOT generate a message that includes
line folding (i.e., that has any field-value that contains a match to
the obs-fold rule) unless the message is intended for packaging
within the message/http media type."
There is an IETF specification which interpreted Section 4.2 of RFC 2616
as follows:
"the HTTP header syntax allows extending single header values across
multiple lines, by inserting a line break followed by whitespace"
<http://tools.ietf.org/html/rfc4918#section-10.4.2>
So yes, this is a change from 2616 that we made due to security problems
(header injection).
I'll classify deprecating line folding as an issue.
Section 4.2 of RFC 2616 (and RFC 2068) follows the same generic format
as that given in Section 3.1 of RFC 822. Section 2.2 of RFC 2616 states
that:
"HTTP/1.1 header field values can be folded onto multiple lines if the
continuation line begins with a space or horizontal tab."
I suggest that implementors of specifications which have a dependency on
RFC 2616 review the relevant section in
draft-ietf-httpbis-p1-messaging-24 about line folding and comment if
they consider the deprecation as a problem.
Review is always good.
Note that the change is listed in
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p1-messaging-24.html#rfc.section.A.2.p.8>:
"Header fields that span multiple lines ("line folding") are deprecated.
(Section 3.2.4)"
Best regards, Julian