ericlaw1979
commented
2 years ago Citi's website rejects with HTTP/406 any brand token that starts with *,+, -, = or /
Closed mreichhoff closed 2 years ago
ericlaw1979
commented
2 years ago Citi's website rejects with HTTP/406 any brand token that starts with *,+, -, = or /
miketaylr
commented
2 years ago Yeah, seems like a good idea to fix this. Thanks @mreichhoff.
We've identified a few cases in which a leading special character causes issues with WAF or other software (in one case, 403s were observed on a major bank website when
/was leading the GREASE string, but not when/was present at other indices; in another, a job hunting site rejected requests with;as the first character, but not in other indices). The spec currently calls for a character, then a brand component, followed by stripping leading and trailing whitespace, such that index zero will usually be a special character.I am sympathetic to firewall authors who would think leading with
=or/looks like an attempt at tampering, and based on finding web incompatibilities with leading special characters, it may not be worth the risk. Note that keeping the same set of special characters, but keeping them outside the leading index in the string, still prevents blanket rejection of those characters or ossification on specific strings, so it still appears to support the goal of GREASE.