http-extensions
http-extensions copied to clipboard
httpwg
HTTP Extensions in progress
The introduction should explicitly point out that this mechanism is only for URLs that use application/x-www-form-urlencoded query strings; other formats aren't supported.
This is an "unqualified SHOULD", which is frowned upon.
In the current Editor's Copy of `connect-tcp`, TCP FIN and RST are distinguished by HTTP Stream Errors, or (especially in HTTP/1.1, where there is no such thing) by injecting a...
https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-20#section-5.6.7.1 > Lax enforcement provides reasonable defense in depth against CSRF attacks that rely on unsafe HTTP methods (like POST), but does not offer a robust defense against CSRF as...
I can't see why this would be a problem, so this might need a little bit of digging. ``` draft-ietf-httpbis-digest-headers.xml:1531 'repr-digest: sha-256=:RK/0qy18MlBSVnWgjwz6lZEWjP/lF5HF9bvEF8FabDg==:': Binary Sequence failed to decode draft-ietf-httpbis-digest-headers.xml:1561 'repr-digest: sha-256=:RK/0qy18MlBSVnWgjwz6lZEWjP/lF5HF9bvEF8FabDg==:':...
For Compression Dictionaries: ``` 2.2.3 Multiple Matching dictionaries ... 2. Given equivalent destination precedence, the dictionary with the longest "match" takes precedence. ``` What is 'longest'? the longest match= string...
I presume the Chrome implementation also has this bug - the WPT dictionary-registration.tentative.https.html assumes that id="test" will yield an id of '"test"', when it should be 'test' per RFC 8941...
> [[SAMESITE](https://greenbytes.de/tech/webdav/draft-ietf-httpbis-rfc6265bis-latest.html#SAMESITE)] WHATWG, “[HTML - Living Standard](https://html.spec.whatwg.org/#same-site)”, January 2021, . The date is misleading. Either have a date and reference a specific snapshot of the spec (possible?), or leave the...
RFC6265ter already aims to make [lax-by-default optional](https://datatracker.ietf.org/doc/html/draft-annevk-johannhof-httpbis-cookies-00#section-5.5.2-5.5.1) because in the absence of a `SameSite` attribute Firefox defaults to None and I'm told that Safari also defaults to None as well....
Reason: 1. The standard for X-Content-Type-Options is specified in the Fetch Standard, which treats it as a list (currently with only one valid option). https://fetch.spec.whatwg.org/#x-content-type-options-header > To determine nosniff, given...
