Fog Creek Software
Discussion Board

HTTP header continuation lines

I was curious if anybody has seen HTTP continuation lines being used by any production clients or servers.  I haven't seen it, and am considering denying requests that use them in my implementation.  They seem like a waste anyway.  I'm not sure why the W3C went through the hassle of defining the feature.

My feeling is that is pretty complicated to implement as they require the parser to back track. 

I am considering running some tests against Apache and Firefox to see how they handle them. 

christopher (
Thursday, July 29, 2004

Postel's Law: Be liberal in what you accept, conservative in what you send.

Disallowing a feature explicitly documented in the protocol specification is almost never a good idea, especially when it comes to something as ubiquitous as HTTP. Everybody and their dog thinks they can write an HTTP client or server, so there are a LOT of half-assed implementations floating around out there.

Keith Moore
Thursday, July 29, 2004

It's been a while since I did HTTP parsing but I don't remember this being a big deal.  Just hold off committing a line until you've seen the first character of the next line. 

I think the most likely header to come in multiple lines is Accept.  They use to get a bit out of control but I'm not sure what the current practice is.

Thursday, July 29, 2004

Most HTTP client implementations will wrap lines after a certain length (I believe it's in the spec).  Most headers are not that long, but headers I've seen in a real life can be VERY long.

Almost Anonymous
Thursday, July 29, 2004

> Postel's Law: Be liberal in what you accept, conservative in what you send.

Actually the whole point of what I am working is the opposite. 

Baus's Law:

Only accept well crafted requests, because if they are not they are likely malicious. 

I do have an implementation for this, but it somehow makes me uncomfortable.  It really comes out as a weird special case in my state descriptions.   

Sounds like it is used more than I thought, so I will just be extra careful to test this. 

christopher (
Thursday, July 29, 2004

Be careful with http header continuation lines as ASP.NET 2.0 is set up by default to deny all request that include them, due to Header injection attacks. An attack against a vulnerable application could possibly echoe back entrusted data as part of a response header.

Shawn Molloy
Friday, August 20, 2004

*  Recent Topics

*  Fog Creek Home