Is it possible to include multiple CRLFs in a HTTP header-field?

Question

Below is HTTP-message definition in latest HTTP RFC 7230

 HTTP-message   = start-line
                  *( header-field CRLF )
                  CRLF
                  [ message-body ]

Below is definition of header-field,

 header-field   = field-name ":" OWS field-value OWS

 field-name     = token
 field-value    = *( field-content / obs-fold )
 field-content  = field-vchar [ 1*( SP / HTAB ) field-vchar ]
 field-vchar    = VCHAR / obs-text

 obs-fold       = CRLF 1*( SP / HTAB )

..and:

obs-text       = %x80-FF

..and ABNF's:

 VCHAR          =  %x21-7E
                                 ; visible (printing) characters

As we can see, field-value could have multiple obs-folds and obs-folds has one CRLF. It is strange for me for I think CRLF is the end of a header line. Is there an example that multiple CRLFs are encoded into one header-field? Or, do I misunderstand the definition?

Have you tried adding a space before each CRLF? An empty line on its own signals the end of the HTTP headers. — paddy, Jul 06 '15 at 03:12
I do not practise something. I am just confused about if ABNF definitaion of header-field is correct. — appleleaf, Jul 06 '15 at 03:35
So, you are asking whether there is an error in the RFC for HTTP -- one of the most widely used and reviewed information transfer protocols on the planet. — paddy, Jul 06 '15 at 03:42
Yes. But, I am not sure whether it is an error or my misunderstanding. — appleleaf, Jul 06 '15 at 04:57
@appleleaf, Duplicate of http://stackoverflow.com/q/17463676/632951 ? — Pacerier, Jul 29 '16 at 14:18

score 30 · Accepted Answer · edited Oct 07 '21 at 07:34

30

Your understanding of the standard is correct. In the past, multi-line header values were supported under RFC 2616. This feature was known as "Line Folding":

HTTP/1.1 header field values can be folded onto multiple lines if the continuation line begins with a space or horizontal tab. All linear white space, including folding, has the same semantics as SP. A recipient MAY replace any linear white space with a single SP before interpreting the field value or forwarding the message downstream.

So the following two forms were equivalent:

Header: value1, value2

and

Header: value1,
        value2

The newer RFC 7230 explicitly deprecates this. In fact the "obs" in "obs-fold" stands for "obsolete".

Historically, HTTP header field values could be extended over multiple lines by preceding each extra line with at least one space or horizontal tab (obs-fold). This specification deprecates such line folding except within the message/http media type (Section 8.3.1). A sender MUST NOT generate a message that includes line folding (i.e., that has any field-value that contains a match to the obs-fold rule) unless the message is intended for packaging within the message/http media type.

So although I've never seen this feature in practice (or at least haven't noticed it), it exists. Moreover, it seems that line folding wasn't even completely deprecated, and its use is still allowed for the HTTP media type header.

Multi-line headers are still supported by standard HTTP header parsers in languages such as PHP [arv], Java, and Go.

The only concrete example I managed to find of such a header was in this technet blog post which has this image:

Note the yellow 0d 0a (carriage return, line feed) WITHIN the Content-Type header.

edited Oct 07 '21 at 07:34

Community

1
1

answered Jul 09 '15 at 17:31

Malt

28,965
9
65
105

@Malt, The OP is asking "*Is there an example that **multiple** CRLFs are encoded into one header-field?*". Your example shows only **one** CR LF HT sequence.... in other words it's not answering the question. – Pacerier Jul 29 '16 at 14:02
@Pacerier there are two CRLF in the Conten-Type header field. One in yellow, in the middle of the field. The other at the end of the field, before the next field where it serves as a normal HTTP header field delimiter. – Malt Jul 30 '16 at 00:46
Are you referring to the [red circle](http://i.stack.imgur.com/jCcyp.png)? If so, that's not what the OP is saying. He's talking about **multiple obs-folds**, in other words, not just "`CR` `LF`", but "`CR` `LF` `HT`/`SP`". The red circle is "`CR` `LF` `'S'`" and "`CR` `LF` `'C'`". – Pacerier Jul 30 '16 at 05:17
@Pacerier OP specifically asked about "multiple CRLFs .. encoded into one header-field". The example shows a CRLF within a Content-Type field, which also ends with a CRLF. Yes, it's not multiple `obs-fold`, but I don't think that was the question. – Malt Jul 30 '16 at 14:00
I know this answer is a bit old, however you wrote `Moreover, it seems that line folding wasn't even completely deprecated, and its use is still allowed for the HTTP media type header.`. What is the `HTTP media type header`, is there an example of such usage of the by now deprecated header line folding? – tonix Aug 22 '18 at 21:20
@tonix I’m traveling at the moment and wont have access to a proper computer for a while. But I’ve probably written that on the basis of the rfc. I believe that it permits line folds in media-type headers like the Accept header. Try reading the RFC. – Malt Aug 22 '18 at 21:27
OK, thank you! I didn't understand what does `media type header`. – tonix Aug 22 '18 at 21:33
@tonix I think that I’ve meant headers that carry media types, like the Accept header. – Malt Aug 22 '18 at 21:45

Is it possible to include multiple CRLFs in a HTTP header-field?

1 Answers1

Linked