Matt Menke

Also, relatedly, it would be good to decide what to do if the limit is exceeded (Just pass the body along anyways, I assume, rather than fail the request /...

I'm a bit late to respond, but I agree with this decision - rejecting headers with nulls seems the safest option here. We should also add code to Chrome's code,...

Note that truncating at whitespace can change file extensions, which can have security implications. So if we want to reach consensus on doing something other than what Chrome does here,...

The entire header doesn't parse as specced, though, not just some subset of it. Of course, just ignoring the header results in other potential security issues. Ideally, we'd just reject...

> That's the pedantic point of view (which I happen to like). But one could argue that failure to parse parameters does not require to throw away the disposition type....

Took a look at my [old doc](https://docs.google.com/document/d/1V8sFDCEYTXZmwKa_qWUfTVNAuBcPsu6FC0PhqMD6KKQ/edit#heading=h.mnyl0jm8suem), and found a couple others. Some of these are likely even straightforward to test: * WebSockets (which touch other network state, and can...

I'm fine with that, but I'm not sure how accurate the claim that using <code> and non-<code> double quotes in the same string will ever become less confusing, no matter...

Another option would be to change the color of code-tag enclosed blocks, instead of changing characters.

The quotes are visually different, but not that visually different. The light gray / black distinction is difficult to distinguish, with small blob-shaped characters, and the height difference isn't too...

While I own the MIME sniffer, what the renderer actually does with the information is largely a black box to me. So I'm fine with removing them, but have no...