[EventSource] Is Last-Event-ID header value allowed to contain any-char? #689
Comments
|
cc: @annevk |
|
See also whatwg/fetch#115. I'm happy to align this with whatever implementations implement. @hiroshige-g did not get back to me on that yet. |
|
Chrome:
Firefox:
|
|
I would like to ignore an ID value including any control characters when parsing it. |
|
Control being anything less than 0x20 or higher than 0x7E? |
|
Ooh, seems like the specification allows for non-ASCII values. |
|
The EventSource spec allows any octet composing a valid utf-8 string other than \r and \n while the HTTP spec allows only us-ascii printable chars (VCHAR). |
|
You preference would be that we require VCHAR in the specification instead and ignore anything outside? |
|
@wanderview, do you know who to ask from Mozilla about this? |
|
Both are acceptable, but I'm leaning towards ignoring an id field containing non-VCHARs. It looks consistent with the fact that we ignore an invalid retry field and other unrecognized fields. |
|
@mcmanus can probably comment from Mozilla's standpoint. |
|
@yutakahirano given what we decided for https://fetch.spec.whatwg.org/#concept-header-value I think UTF-8 bytes except for 0x00, 0x0A, and 0x0D is the way to go. Let me know if you disagree. |
|
Does it mean Firefox's behavior in #689 (comment)? |
|
Yeah, ignoring altogether if it doesn't meet the criteria seems best. Dropping part of the value seems more dangerous. |
|
SGTM |
|
@yutakahirano I think it would be even better if we didn't set |
|
(It's also odd that browsers do not have the U+0000 restriction on header values here while they do have that in other APIs...) |
|
#2849 has my proposal for how to change the HTML Standard. It would require changes by all implementations though, so feedback appreciated. |
…+0000 (#6584) * EventSource: do not allow lastEventId creation when the id contains U+0000 See whatwg/html#689.
whatwg/html#689 Bug: 752421 Change-Id: I12d9cc6f4556011729e1f4245868b864718e1f08 Reviewed-on: https://chromium-review.googlesource.com/666366 Commit-Queue: Yutaka Hirano <[email protected]> Reviewed-by: Takeshi Yoshino <[email protected]> Cr-Commit-Position: refs/heads/master@{#502763}
…+0000 (web-platform-tests#6584) * EventSource: do not allow lastEventId creation when the id contains U+0000 See whatwg/html#689.
whatwg/html#689 Bug: 752421 Change-Id: I12d9cc6f4556011729e1f4245868b864718e1f08 Reviewed-on: https://chromium-review.googlesource.com/666366 Commit-Queue: Yutaka Hirano <[email protected]> Reviewed-by: Takeshi Yoshino <[email protected]> Cr-Original-Commit-Position: refs/heads/master@{#502763} Cr-Mirrored-From: https://chromium.googlesource.com/chromium/src Cr-Mirrored-Commit: 33e02f52df5064f3e8e06eaed5c33ebf93aa6b70
and others
A Last-Event-ID header value is set to the last event ID string which can contain any chars except CR and LF. On the other hand, the Fetch spec requires that a header value consists of field-content octets. The former allows non-CRLF control octets while the latter doesn't.
The text was updated successfully, but these errors were encountered: