HTTP header continuation lines
I was curious if anybody has seen HTTP continuation lines being used by any production clients or servers. I haven't seen it, and am considering denying requests that use them in my implementation. They seem like a waste anyway. I'm not sure why the W3C went through the hassle of defining the feature.
Postel's Law: Be liberal in what you accept, conservative in what you send.
It's been a while since I did HTTP parsing but I don't remember this being a big deal. Just hold off committing a line until you've seen the first character of the next line.
Most HTTP client implementations will wrap lines after a certain length (I believe it's in the spec). Most headers are not that long, but headers I've seen in a real life can be VERY long.
> Postel's Law: Be liberal in what you accept, conservative in what you send.
Be careful with http header continuation lines as ASP.NET 2.0 is set up by default to deny all request that include them, due to Header injection attacks. An attack against a vulnerable application could possibly echoe back entrusted data as part of a response header.
Fog Creek Home