Closed ioggstream closed 5 years ago
I disagree. A HTTP Message can have a header with no value provided. It is semantically meaningful to provide a parameter without a value, which is distinct from not providing the parameter at all. A value of null or zero is not the same as not providing a value. This is why I cleaned up up the language in #47.
If implementations permit empty headers, that's their choice, but I don't think we should be dictating that.
A HTTP Message can have a header with no value provided
Ok, but how is that related with a blank headers parameter
?
eg.
Signature: headers="", ...
If implementations permit empty headers, that's their choice
imho permitting an empty headers parameter
means
that a compliant implementation must support that. We are
actually forcing to support a weak part of the spec.
In that case, we should warn about reply attacks in the Security Considerations.
So the questions:
of almost no utility and SHOULD NOT be used
?
My mistake, I read this as forbidding HTTP message headers with empty values, not an empty headers
parameter in the Signature header.
The PR that introduced that language only cleaned up an ambiguity in the wording, it was not the intention to suggest this is a good idea. As you quote in the current version, it states this is of almost no utility.
I'm happy to forbid an empty headers
, but then we should also talk about the minimums, since a signature with only Content-Type
or Accepts
would be similarly useless as these are also largely static.
My mistake, I read this as forbidding HTTP message headers with empty values
I think we should refactor the terminology, I have been confused for months :D
I'm happy to forbid an empty headers
+1
we should also talk about the minimums, since a signature with only Content-Type or Accepts would be similarly useless
Very true :) I'll open another issue for that.
@liamdennehy https://github.com/w3c-dvcg/http-signatures/pull/70
I'm +1 to forbidding signing an empty string which is almost certainly a mistake. As long as that's what we're talking about disallowing here, I'm in favor.
Closed in #70
I expect
headers
should either be:Signature: headers="foo bar", ...
You should nevers sign an empty string.
Instead
The following is allowed
Note
Allowing an empty header parameter is then:
can be attached to multiple messages and potentially be used to identify the sender.
headers
;@msporny @liamdennehy do you agree?