Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

:path pseudo header encoding #93

Open
msporny opened this issue Nov 1, 2019 · 3 comments
Open

:path pseudo header encoding #93

msporny opened this issue Nov 1, 2019 · 3 comments
Assignees
@liamdennehy
Labels
quality Clarity, consistency, effectiveness

Comments

@msporny
Copy link
Contributor

msporny commented Nov 1, 2019

Sebastien Rosset wrote:

Would it be worthwhile clarifying in section 2.3 what are the encoding rules for the :path pseudo header (including query)? Or at least provide an example that has characters that are percent-encoded?
The proposed Cavage draft refers to rfc 7540 8.1.2.3, which itself refers to RFC 3986. There is a section of RFC 3986 that specifies the percent encoding & decoding rules. From that RFC, it is clear the client must percent-encode the :path pseudo header before sending the data on the wire.
But Cavage draft section 2.3 does not seem to clearly specify whether the value of the :path pseudo header must be obtained before or after percent-encoding of the URI. My interpretation is that the client should first percent-encode the :path pseudo header, then use that value for the purpose of signing. On the receiving side, the server should validate the signature by concatenating the value of the :path pseudo header before decoding the header value. Maybe I am missing something that clarifies, and certainly an example would help.

For example, instead of the following example

GET /foo HTTP/1.1
...

You could use something like this:

GET /foo%20bar?q=%3Apath HTTP/1.1
…
@msporny
Copy link
Contributor Author

msporny commented Nov 1, 2019

My interpretation is that the client should first percent-encode the :path pseudo header, then use that value for the purpose of signing. On the receiving side, the server should validate the signature by concatenating the value of the :path pseudo header before decoding the header value.

Yes, I believe that interpretation is correct... and the spec should clarify that without duplicating the text in RFC 3986.

@liamdennehy liamdennehy self-assigned this Nov 4, 2019
@liamdennehy liamdennehy added the quality Clarity, consistency, effectiveness label Nov 4, 2019
@liamdennehy
Copy link
Contributor

GET /foo%20bar?q=%3Apath HTTP/1.1

Unsure why you've escaped the colon, since this is a valid pchar for a query:

URI           = scheme ":" hier-part [ "?" query ] [ "#" fragment ]
query         = *( pchar / "/" / "?" )
pchar         = unreserved / pct-encoded / sub-delims / ":" / "@"

Illustrating escaped query & path characters is useful, so I propose showing the transform of (in yaml):

path: '/foo bar'
query:
  - name: test
    value: this=that
  - name: actions
    value: first&second

into

/foo%20bar?test=this%3Dthat&actions=first%26second

@liamdennehy
Copy link
Contributor

liamdennehy commented Nov 4, 2019
edited
Loading

New content and updated reference test sample message in 390aee4:

  • Clarify escaping requirement in section canonicalization for both :path and :query, refer to RFC3986 for reasoning (and add as new normative ref)
  • Include escaped path and query in examples with illustrations of transformation
  • Does not yet provide fully validated samples in Appendix C, but basic and default test are correct

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@liamdennehy liamdennehy

Labels
quality Clarity, consistency, effectiveness
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@msporny @liamdennehy