This isn’t really related to programming, but I’m using this in a program, so I thought it would be best to ask here. Essentially this is a question about handling anomalies in HTTP requests.
A standard request might look like:
GET / HTTP/1.1
Host: example.com
User-Agent: Firefox
My question is, how should HTTP handle “special characters” in parts of the HTTP request that aren’t usually tampered with. For instance, what if the method was “POST ME” instead of “GET” (i.e. inclusion of a space); would this be encoded to %20?
Another example, suppose I want one of my headers to be “Class:Test: example”, with the extra “:” in the header name (the header value being “example”). Would this be encoded to %3A?
Note: this isn’t about whether any web servers out there would accept such encoding; this is about how it should be done. My program is a fuzz tester, so it is supposed to be testing this sort of thing!
The two question must be answered as “no” and “yes, BUT…”
The “percent encoding” you suggest is defined for content, values, not for the http language syntax. You mix protocol and payload.
You may want to take a look at the RFC that defines HTTP. It clearly defines a syntax. If you stick to that syntax you can create valid extensions (which is what you are trying to do). If you break that syntax you create invalid http requests. That would be a thing you can do inhouse, but most likely such requests won’t work in the open internet, where for example proxies come into play. These have to understand your requests on y syntactical level.
For question 2 the answer is “yes, BUT”, I wrote. So a few words to the BUT:
You can specify such headers and they are valid, if you encode the second ‘:’ as you suggested. However you should understand what you are doing there: you are NOT introducing a hierarchy into header names. Instead you specify a headers content to contain a ‘:’. That is perfectly fine. It is up to your server component to understand, interpret and react as intended to that content.