search

w3c-ccg / http-signatures

Signing HTTP Messages specification
https://w3c-dvcg.github.io/http-signatures/
Other
34 stars 9 forks source link

:path pseudo header encoding #93

Open msporny opened 4 years ago

msporny commented 4 years ago

Sebastien Rosset wrote:

Would it be worthwhile clarifying in section 2.3 what are the encoding rules for the :path pseudo header (including query)? Or at least provide an example that has characters that are percent-encoded? The proposed Cavage draft refers to rfc 7540 8.1.2.3, which itself refers to RFC 3986. There is a section of RFC 3986 that specifies the percent encoding & decoding rules. From that RFC, it is clear the client must percent-encode the :path pseudo header before sending the data on the wire. But Cavage draft section 2.3 does not seem to clearly specify whether the value of the :path pseudo header must be obtained before or after percent-encoding of the URI. My interpretation is that the client should first percent-encode the :path pseudo header, then use that value for the purpose of signing. On the receiving side, the server should validate the signature by concatenating the value of the :path pseudo header before decoding the header value. Maybe I am missing something that clarifies, and certainly an example would help.

For example, instead of the following example

GET /foo HTTP/1.1
...

You could use something like this:

GET /foo%20bar?q=%3Apath HTTP/1.1
…
msporny commented 4 years ago

My interpretation is that the client should first percent-encode the :path pseudo header, then use that value for the purpose of signing. On the receiving side, the server should validate the signature by concatenating the value of the :path pseudo header before decoding the header value.

Yes, I believe that interpretation is correct... and the spec should clarify that without duplicating the text in RFC 3986.

liamdennehy commented 4 years ago

GET /foo%20bar?q=%3Apath HTTP/1.1

Unsure why you've escaped the colon, since this is a valid pchar for a query:

URI           = scheme ":" hier-part [ "?" query ] [ "#" fragment ]
query         = *( pchar / "/" / "?" )
pchar         = unreserved / pct-encoded / sub-delims / ":" / "@"

Illustrating escaped query & path characters is useful, so I propose showing the transform of (in yaml):

path: '/foo bar'
query:
  - name: test
    value: this=that
  - name: actions
    value: first&second

into

/foo%20bar?test=this%3Dthat&actions=first%26second
liamdennehy commented 4 years ago

New content and updated reference test sample message in https://github.com/w3c-dvcg/http-signatures/pull/83/commits/390aee411bce8236ff321ec690e6b523900abcc3: