Can I separate ALL HTTP headers with a comma? Even Authorization?
https://stackoverflow.com/questions/9006245
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian質問
I am reading through the HTTP 1.1 RFCs and I am not able to answer the following question.
We have this header:
Authorization: Basic Qmxvb21iZXJnOnRjbG1lU1JT, Basic
which is causing troubles because Rails 3 authorization parser incorrectly decodes the string because of the "," character. This is very uncommon I know, but we add this using this Apache httpd configuration:
RequestHeader append Authorization "Basic" early
The Apache mod_header documentation says:
The response header is appended to any existing header of the same name. When a new value is merged onto an existing header it is separated from the existing header with a comma. This is the HTTP standard way of giving a header multiple values.
But I don't think it is correct for this Authorization header. The RFC definition does not allow this. But some headers permit comma-separated list. I am not sure if this is a general rule for all HTTP headers.
I am looking for a paragraph in the HTTP 1.1 RFC that prooves my idea this is not correct. I have already found something that is saying "this is valid only for headers that can be separated", but this is not a proof.
Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]. It MUST be possible to combine the multiple header fields into one "field-name: field-value" pair, without changing the semantics of the message, by appending each subsequent field-value to the first, each separated by a comma. The order in which header fields with the same field-name are received is therefore significant to the interpretation of the combined field value, and thus a proxy MUST NOT change the order of these field values when a message is forwarded.
It really does not make sense, but I am looking for a clear proof.
解決
The answer is in the text you quoted:
"Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]."
This is not the case for "Authorization".
