Comments (5)
But wait, https://www.rfc-editor.org/errata/eid5853 says that that sentence should be replaced :\ I'd have to read more to understand whether including a
charset
parameter should in fact technically be harmless.
That's marked as "Reported", which just means that someone thought it would be a good idea to make that change. I don't think we can conclude anything from it.
(I've been fooled by RFC Errata before.)
from guava.
Interesting, thanks. I don't know that this has come up before.
We actually had application/json
without a charset before replacing it with the current constant back in 2012 (before MediaType
was added to Guava). That presumably was the right move then (since it predates the 2017 RFC you've shared).
It is interesting that the RFC also says "Adding [a charset] really has no effect on compliant recipients," which suggests that including one should be harmless for compliant recipients.
But wait, https://www.rfc-editor.org/errata/eid5853 says that that sentence should be replaced :\ I'd have to read more to understand whether including a charset
parameter should in fact technically be harmless.
There's additionally the question of whether the charset
parameter makes things better or worse for non-compliant recipients. (And then there's the question of whether helping non-compliant recipients is a good thing or a bad thing... :))
Our internal security guidance says that it is "critical" to include the charset
parameter. That said, the guidance dates from at least 7 years ago, and I don't know how recently it's been reevaluated. Some chain of other links led me to https://portswigger.net/research/json-hijacking-for-the-modern-web, which was from 2016 (with some kind of update in 2022), which likewise suggests that the charset
is important (or at least was back then). However, I haven't read it nearly closely enough to have much confidence in anything.
Someone seems to be reporting that Dart needed the parameter back in 2019. Ditto some "HttpClient" in 2020.
And I've seen another report or two that some receivers reject anything that includes charset
(example)....
I fear that we could end up the latest project to have "ping-ponging this back and forth, and there's always some broken client."
We could consider talking more with our security people to see what they recommend. We'd want to have a pretty solid understanding before nudging users toward a change that might break something that had previously been working (whether it was really supposed to be working or not).
from guava.
In general, are extra, unrecognized parameters considered an error in media types?
from guava.
Exactly - unless it's verified it doesn't mean anything.
from guava.
In general, are extra, unrecognized parameters considered an error in media types?
Usually no.
The problem is more educational: sending "charset=UTF-8" sort of implies that "charset=UTF-16" would change the encoding detection. And that would be a bug.
As would be to require the presence of the param.
from guava.
Related Issues (20)
- debug android HOT 1
- Addition of Built-In Methods for Primitive Math operations HOT 1
- Could not find error_prone_annotations-2.11.0.jar HOT 1
- Gradle 6.x isn't able to pick right Guava variant HOT 3
- Guava build fails on `master` with JDK 21 HOT 4
- Add action version comments in GitHub workflow files HOT 1
- Supply Chain Security
- Is `com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava` really necessary? HOT 2
- SmoothRateLimiter.SmoothBursty obtaining too many permits without failure HOT 1
- Certain versions of Guava on Maven central no longer working on Java 11 HOT 2
- guava-gwt should publish Gradle module metadata or somehow fix POM HOT 2
- java.lang.NoSuchMethodError: 'void com.google.common.base.Preconditions.checkState(boolean, java.lang.String, long) HOT 1
- `Suppliers.memoize()` thread pinning HOT 6
- Copying a filtered collection with ImmutableSet.copyOf() should require visiting each element only once HOT 1
- com.google.common.collect.Range#hasLowerBound determination error after deserialization HOT 7
- InternetDomainName.topPrivateDomain() throws exception for Amazonaws-Domain HOT 4
- Use Gradle module available-at tag instead of files for redirecting jre vs android consumers HOT 5
- Failing while building guava version v31.0.1 using mvn clean install HOT 3
- Make `Striped.custom` public HOT 2
- Improve `guava-android` Animal Sniffer compatibility testing for Java 8+ APIs
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from guava.