You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/oas.md
+10-4Lines changed: 10 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1165,7 +1165,7 @@ When `example` or `examples` are provided in conjunction with the `schema` field
1165
1165
The `example` and `examples` fields are mutually exclusive, and if either is present it SHALL _override_ any `example` in the schema.
1166
1166
1167
1167
When serializing `in: "header"` parameters with `schema`, URI percent-encoding MUST NOT be applied; if using an RFC6570 implementation that automatically applies it, it MUST be removed before use.
1168
-
Implementations MUST NOT attempt to automatically quote header values, as the quoting rules vary too widely among different headers; users are expected to provide pre-quoted data as needed.
1168
+
Implementations MUST NOT attempt to automatically quote header values, as the quoting rules vary too widely among different headers; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for guidance on quoting and escaping.
1169
1169
1170
1170
Serializing with `schema` is NOT RECOMMENDED for `in: "cookie"` parameters; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for details.
1171
1171
@@ -1183,7 +1183,7 @@ See also [Appendix C: Using RFC6570-Based Serialization](#appendix-c-using-rfc65
1183
1183
###### Fixed Fields for use with `content`
1184
1184
1185
1185
For more complex scenarios, the [`content`](#parameter-content) field can define the media type and schema of the parameter, as well as give examples of its use.
1186
-
Using `content` with a `text/plain` media type is RECOMMENDED for `in: "header"` and `in: "cookie"` parameters where the `schema` strategy is not appropriate.
1186
+
Using `content` with a `text/plain` media type is RECOMMENDED for `in: "cookie"` parameters where the `schema` strategy's percent-encoding and/or delimiter rules are not appropriate.
1187
1187
1188
1188
| Field Name | Type | Description |
1189
1189
| ---- | :----: | ---- |
@@ -2567,7 +2567,7 @@ For simpler scenarios, a [`schema`](#header-schema) and [`style`](#header-style)
2567
2567
When `example` or `examples` are provided in conjunction with the `schema` field, the example MUST follow the prescribed serialization strategy for the header.
2568
2568
2569
2569
When serializing `in: "header"` parameters with `schema`, URI percent-encoding MUST NOT be applied; if using an RFC6570 implementation that automatically applies it, it MUST be removed before use.
2570
-
Implementations MUST NOT attempt to automatically quote header values, as the quoting rules vary too widely among different headers; users are expected to provide pre-quoted data as needed.
2570
+
Implementations MUST NOT attempt to automatically quote header values, as the quoting rules vary too widely among different headers; see [Appendix D](#appendix-d-serializing-headers-and-cookies) for guidance on quoting and escaping.
2571
2571
2572
2572
When `example` or `examples` are provided in conjunction with the `schema` field, the example SHOULD match the specified schema and follow the prescribed serialization strategy for the header.
2573
2573
The `example` and `examples` fields are mutually exclusive, and if either is present it SHALL _override_ any `example` in the schema.
@@ -4519,7 +4519,13 @@ This will expand to the result:
4519
4519
4520
4520
## Appendix D: Serializing Headers and Cookies
4521
4521
4522
-
_**Note:** OAS v3.0.4 and v3.1.1 applied the advice in this section to both headers and cookies.
4522
+
HTTP headers have inconsistent rules regarding what characters are allowed, and how some or all disallowed characters can be escaped and included.
4523
+
While the `quoted-string` ABNF rule given in [[RFC7230]][Section 3.2.6](https://httpwg.org/specs/rfc7230.html#field.components) is the most common escaping solution, it is not sufficiently universal to apply automatically.
4524
+
For example, a strong `ETag` looks like `"foo"` (with quotes, regardless of the contents), and a weak `ETag` looks like `W/"foo"` (note that only part of the value is quoted); the contents of the quotes for this header are also not escaped in the way `quoted-string` contents are.
4525
+
4526
+
For this reason, any data being passed to a header by way of a [Parameter](#parameter-object) or [Header](#header-object) Object needs to be quoted and escaped prior to passing it to the OAS implementation, and the parsed header values are expected to contain the quotes and escapes.
4527
+
4528
+
_**Note:** OAS v3.0.4 and v3.1.1 applied the advice in this section to avoid RFC6570-style serialization to both headers and cookies.
4523
4529
However, further research has indicated that percent-encoding was never intended to apply to headers, so this section has been corrected to apply only to cookies._
4524
4530
4525
4531
[RFC6570](https://www.rfc-editor.org/rfc/rfc6570)'s percent-encoding behavior is not always appropriate for `in: "cookie"` parameters.
0 commit comments