[Web-SIG] Python 3.0 and WSGI 1.0.

Graham Dumpleton graham.dumpleton at gmail.com
Thu Apr 16 09:12:11 CEST 2009 

2009/4/4 Robert Brewer <fumanchu at aminus.org>:
> Alan Kennedy wrote:
>> [Bill]
>> > I think the controlling reference here is RFC 3875.
>>
>> I think the controlling references are RFC 2616, RFC 2396 and RFC
> 3987.
>>
>> RFC 2616, the HTTP 1.1 spec, punts on the question of character
>> encoding for the request URI.
>>
>> RFC 2396, the URI spec, says
>>
>> """
>>    It is expected that a systematic treatment of character encoding
>>    within URI will be developed as a future modification of this
>>    specification.
>> """
>>
>> RFC 3987 is that spec, for Internationalized Resource Identifiers. It
>> says
>>
>> """
>> An IRI is a sequence of characters from the Universal Character Set
>> (Unicode/ISO 10646).
>> """
>>
>> and
>>
>> """
>> 1.2.  Applicability
>>
>>    IRIs are designed to be compatible with recommendations for new URI
>>    schemes [RFC2718].  The compatibility is provided by specifying a
>>    well-defined and deterministic mapping from the IRI character
>>    sequence to the functionally equivalent URI character sequence.
>>    Practical use of IRIs (or IRI references) in place of URIs (or URI
>>    references) depends on the following conditions being met:
>> """
>>
>> followed by
>>
>> """
>>    c.  The URI corresponding to the IRI in question has to encode
>>        original characters into octets using UTF-8.  For new URI
>>        schemes, this is recommended in [RFC2718].  It can apply to a
>>        whole scheme (e.g., IMAP URLs [RFC2192] and POP URLs [RFC2384],
>>        or the URN syntax [RFC2141]).  It can apply to a specific part
>> of
>>        a URI, such as the fragment identifier (e.g., [XPointer]).  It
>>        can apply to a specific URI or part(s) thereof.  For details,
>>        please see section 6.4.
>> """
>>
>> I think the question is "are people using IRIs in the wild"? If so,
>> then we must decide how do we best deal with the problems of
>> recognising iso-8859-1+rfc2037 versus utf-8, or whatever
>> server-configured encoding the user has chosen.
>
> Agreed. The Request-URI needs to handle IRI's. The headers mostly
> don't--almost all headers are of mostly type "token", which is US-ASCII.
> A few are of type "TEXT", which is ISO-8859-1/RFC 2047. The remaining
> (sub)values are mostly custom byte sequences:
>
> field-name           field-value
> ----------           -----------
> Accept               token
> Accept-Charset       token
> Accept-Encoding      token
> Accept-Language      ALPHA, plus ":", "=", "q" etc
> Accept-Ranges        token
> Age                  DIGIT
> Allow                token
> Authorization        token
> Cache-Control        token
> Connection           token
> Content-Encoding     token
> Content-Language     ALPHA
> Content-Length       DIGIT
> Content-Location     absoluteURI | relativeURI
> Content-MD5          base64 of 128 bit md5 digest
> Content-Range        DIGIT, plus "/" etc
> Content-Type         token
> Date                 HTTP-date
> ETag                 TEXT and CHAR
> Expect               token, quoted-string
> Expires              HTTP-date
> >From                 ASCII (see RFC 822)
> Host                 host ":" port
> If-Match             TEXT and CHAR
> If-Modified-Since    HTTP-date
> If-None-Match        TEXT and CHAR
> If-Range             TEXT and CHAR | HTTP-date
> If-Unmodified-Since  HTTP-date
> Last-Modified        HTTP-date
> Location             absoluteURI
> Max-Forwards         DIGIT
> Pragma               token, quoted-string
> Proxy-Authenticate   token
> Proxy-Authorization  token
> Range                token
> Referer              absoluteURI | relativeURI
> Retry-After          HTTP-date | DIGIT
> Server               token, TEXT
> TE                   token
> Trailer              token
> Transfer-Encoding    token
> Upgrade              token
> User-Agent           token, TEXT
> Vary                 token
> Via                  token, host, port
> Warning              quoted-string, HTTP-date, host, port
> WWW-Authenticate     token
>
>
> The Content-Location, Location, and Referer headers are problematic
> since HTTP borrows those from the URI spec, which deals in characters
> and not bytes, as you mentioned. Host, and maybe Via, are also special
> due to possible IDNA-encoding.
>
> Regarding extension headers, I think we should assume that the HTTP/1.1
> spec implies all headers should be token (ASCII) or TEXT (ISO-8859-1).
> >From section 4.2:
>
>    field-content  = <the OCTETs making up the field-value
>                     and consisting of either *TEXT or combinations
>                     of token, separators, and quoted-string>
>
> In addition, the httpbis effort seems to be enforcing this even more
> strongly [1]:
>
>     message-header = field-name ":" OWS [ field-value ] OWS
>     field-name     = token
>     field-value    = *( field-content / OWS )
>     field-content  = *( WSP / VCHAR / obs-text )
>
>   Historically, HTTP has allowed field-content with text in the ISO-
>   8859-1 [ISO-8859-1] character encoding (allowing other character sets
>   through use of [RFC2047] encoding).  In practice, most HTTP header
>   field-values use only a subset of the US-ASCII charset [USASCII].
>   Newly defined header fields SHOULD constrain their field-values to
>   US-ASCII characters.  Recipients SHOULD treat other (obs-text) octets
>   in field-content as opaque data.
>
> So, from where I sit, we have:
>
>  1. Many header values which are ASCII.
>  2. A few header values which are ISO-8859-1 plus RFC 2047.
>  3. A few header values which are URI's (no specified encoding) or IRI's
> (UTF-8).
>
> I understand the desire to decode ASAP, and I agree with Guido that we
> should use a default encoding which the app can override. Looking at the
> above, ISO-8859-1 is the best encoding I know of for all three header
> cases. ASCII can be used as a valid subset without transcoding; headers
> which are ISO-8859-1 are decoded perfectly; URI/IRI headers can be
> transcoded by the app if needed, but mangled opaquely by middleware.
>
> If we make *that* call, then IMO there's no reason not to do the same to
> SCRIPT_NAME, PATH_INFO, and QUERY_STRING.

I am not sure we ended up with a final answer on all of this, but I
don't want to hold up mod_wsgi 3.0, which includes Python 3.0 support,
any longer. As such, am implementing things as per:

  http://www.wsgi.org/wsgi/Amendments_1.0

with exception that will not be attempting to do decoding per RFC
2047. Any CGI variables not related to HTTP headers will also be
handled as latin-1, including SCRIPT_NAME, PATH_INFO and QUERY_STRING.
This should be equivalent with what wsgiref does in Python 3.X and
basically keeps the status quo.

If anyone has any last things to say on all of this, please speak up now.

Graham

More information about the Web-SIG mailing list