Message Parsing Strictness

[mnot]

3.5 Message Parsing Robustness -- "When a server listening only for HTTP request messages, or processing what appears from the start-line to be an HTTP request message, receives a sequence of octets that does not match the HTTP-message grammar aside from the robustness exceptions listed above, the server must respond with an HTTP/1.1 400 (Bad Request) response." This makes several existing implementations non-conformant (because they silently digest whitespace in those empty lines). See also the issue above about Tolerant Applications and SP/HT in the top-line.

Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/414

[mnot]

• fielding@gbiv.com commented:

From 2028:

Expand on message parsing robustness regarding whitespace. Clarify that whitespace-delimited parsing by recipients is allowed.

Add requirement on recipients of whitespace between start-line and first header field to be consistent with implementations and safe from the header spoofing issues.

Reduce ABNF conformance by recipients to a SHOULD.

Addresses #411, #412, and #414

• fielding@gbiv.com changed milestone from unassigned to 22
• fielding@gbiv.com changed resolution to incorporated
• fielding@gbiv.com changed status from new to closed

[mnot]

• @mnot changed resolution from incorporated to ``
• @mnot changed status from closed to reopened

[mnot]

• @mnot changed resolution to fixed
• @mnot changed status from reopened to closed