From f4b34ba962b28a9372090759a74ca587b4774a9b Mon Sep 17 00:00:00 2001 From: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> Date: Wed, 8 May 2024 13:22:26 +0100 Subject: [PATCH] Note that whitespace around `Authorization` param commas is allowed (#1818) --- .../server_server/newsfragments/1818.clarification | 1 + content/server-server-api.md | 12 +++++++----- 2 files changed, 8 insertions(+), 5 deletions(-) create mode 100644 changelogs/server_server/newsfragments/1818.clarification diff --git a/changelogs/server_server/newsfragments/1818.clarification b/changelogs/server_server/newsfragments/1818.clarification new file mode 100644 index 000000000..8c50b6ace --- /dev/null +++ b/changelogs/server_server/newsfragments/1818.clarification @@ -0,0 +1 @@ +Clarify that whitespace around commas is allowed in the `X-Matrix` `Authorization` header value params list. \ No newline at end of file diff --git a/content/server-server-api.md b/content/server-server-api.md index fb1b06f4e..e92d871c5 100644 --- a/content/server-server-api.md +++ b/content/server-server-api.md @@ -350,9 +350,10 @@ def authorization_headers(origin_name, origin_signing_key, The format of the Authorization header is given in [RFC 7235](https://datatracker.ietf.org/doc/html/rfc7235#section-2.1). In -summary, the header begins with authorization scheme `X-Matrix`, followed by -one or more spaces, followed by a comma-separated list of parameters written as -name=value pairs. The names are case insensitive and order does not matter. The +summary, the header begins with authorization scheme `X-Matrix`, followed by one +or more spaces, followed by a comma-separated list of parameters written as +name=value pairs. Zero or more spaces and tabs around each comma are allowed. +The names are case insensitive and order does not matter. The values must be enclosed in quotes if they contain characters that are not allowed in `token`s, as defined in [RFC 7230](https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6); if a @@ -363,8 +364,9 @@ replaced by the character that follows the backslash. For compatibility with older servers, the sender should - only include one space after `X-Matrix`, -- only use lower-case names, and -- avoid using backslashes in parameter values. +- only use lower-case names, +- avoid using backslashes in parameter values, and +- avoid including whitespace around the commas between name=value pairs. For compatibility with older servers, the recipient should allow colons to be included in values without requiring the value to be enclosed in quotes.