You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by je...@apache.org on 2005/02/04 01:08:27 UTC
svn commit: r151264 - in httpd/httpd/branches/2.0.x: CHANGES
docs/conf/httpd-std.conf.in docs/conf/httpd-win.conf
docs/manual/mod/core.xml docs/manual/mod/mod_mime.xml
Author: jerenkrantz
Date: Thu Feb 3 16:08:25 2005
New Revision: 151264
URL: http://svn.apache.org/viewcvs?view=rev&rev=151264
Log:
conf: Remove AddDefaultCharset from the default configuration because
setting a site-wide default does more harm than good.
MFC: 111581
PR: 23421
Reviewed by: fielding, erikabele, jerenkrantz
Modified:
httpd/httpd/branches/2.0.x/CHANGES
httpd/httpd/branches/2.0.x/docs/conf/httpd-std.conf.in
httpd/httpd/branches/2.0.x/docs/conf/httpd-win.conf
httpd/httpd/branches/2.0.x/docs/manual/mod/core.xml
httpd/httpd/branches/2.0.x/docs/manual/mod/mod_mime.xml
Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/CHANGES?view=diff&r1=151263&r2=151264
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES (original)
+++ httpd/httpd/branches/2.0.x/CHANGES Thu Feb 3 16:08:25 2005
@@ -1,5 +1,9 @@
Changes with Apache 2.0.53
+ *) conf: Remove AddDefaultCharset from the default configuration because
+ setting a site-wide default does more harm than good. PR 23421.
+ [Roy Fielding]
+
*) Add charset to example CGI scripts. [Roy Fielding]
*) mod_ssl: fail quickly if SSL connection is aborted rather than
Modified: httpd/httpd/branches/2.0.x/docs/conf/httpd-std.conf.in
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/docs/conf/httpd-std.conf.in?view=diff&r1=151263&r2=151264
==============================================================================
--- httpd/httpd/branches/2.0.x/docs/conf/httpd-std.conf.in (original)
+++ httpd/httpd/branches/2.0.x/docs/conf/httpd-std.conf.in Thu Feb 3 16:08:25 2005
@@ -771,18 +771,6 @@
ForceLanguagePriority Prefer Fallback
#
-# Specify a default charset for all pages sent out. This is
-# always a good idea and opens the door for future internationalisation
-# of your web site, should you ever want it. Specifying it as
-# a default does little harm; as the standard dictates that a page
-# is in iso-8859-1 (latin1) unless specified otherwise i.e. you
-# are merely stating the obvious. There are also some security
-# reasons in browsers, related to javascript and URL parsing
-# which encourage you to always set a default char set.
-#
-AddDefaultCharset ISO-8859-1
-
-#
# Commonly used filename extensions to character sets. You probably
# want to avoid clashes with the language extensions, unless you
# are good at carefully testing your setup after each change.
Modified: httpd/httpd/branches/2.0.x/docs/conf/httpd-win.conf
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/docs/conf/httpd-win.conf?view=diff&r1=151263&r2=151264
==============================================================================
--- httpd/httpd/branches/2.0.x/docs/conf/httpd-win.conf (original)
+++ httpd/httpd/branches/2.0.x/docs/conf/httpd-win.conf Thu Feb 3 16:08:25 2005
@@ -689,18 +689,6 @@
ForceLanguagePriority Prefer Fallback
#
-# Specify a default charset for all pages sent out. This is
-# always a good idea and opens the door for future internationalisation
-# of your web site, should you ever want it. Specifying it as
-# a default does little harm; as the standard dictates that a page
-# is in iso-8859-1 (latin1) unless specified otherwise i.e. you
-# are merely stating the obvious. There are also some security
-# reasons in browsers, related to javascript and URL parsing
-# which encourage you to always set a default char set.
-#
-AddDefaultCharset ISO-8859-1
-
-#
# Commonly used filename extensions to character sets. You probably
# want to avoid clashes with the language extensions, unless you
# are good at carefully testing your setup after each change.
Modified: httpd/httpd/branches/2.0.x/docs/manual/mod/core.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/docs/manual/mod/core.xml?view=diff&r1=151263&r2=151264
==============================================================================
--- httpd/httpd/branches/2.0.x/docs/manual/mod/core.xml (original)
+++ httpd/httpd/branches/2.0.x/docs/manual/mod/core.xml Thu Feb 3 16:08:25 2005
@@ -139,8 +139,8 @@
<directivesynopsis>
<name>AddDefaultCharset</name>
-<description>Default character set to be added for a
-response without an explicit character set</description>
+<description>Default charset parameter to be added when a response
+content-type is "text/plain" or "text/html"</description>
<syntax>AddDefaultCharset On|Off|<var>charset</var></syntax>
<default>AddDefaultCharset Off</default>
<contextlist><context>server config</context>
@@ -149,21 +149,36 @@
<override>FileInfo</override>
<usage>
- <p>This directive specifies the name of the character set that
- will be added to any response that does not have any parameter on
- the content type in the HTTP headers. This will override any
- character set specified in the body of the document via a
- <code>META</code> tag. A setting of <code>AddDefaultCharset
- Off</code> disables this
- functionality. <code>AddDefaultCharset On</code> enables
- Apache's internal default charset of <code>iso-8859-1</code> as
- required by the directive. You can also specify an alternate
- <var>charset</var> to be used. For example:</p>
+ <p>This directive specifies a default value for the media type
+ charset parameter (the name of a character encoding) to be added
+ to a response if and only if the response's content-type is either
+ "text/plain" or "text/html". This should override any charset
+ specified in the body of the document via a <code>META</code> tag,
+ though the exact behavior is often dependent on the user's client
+ configuration. A setting of <code>AddDefaultCharset Off</code>
+ disables this functionality. <code>AddDefaultCharset On</code> enables
+ a default charset of <code>iso-8859-1</code>. Any other value is assumed
+ to be the <var>charset</var> to be used, which should be one of the
+ <a href="http://www.iana.org/assignments/character-sets">IANA registered
+ charset values</a> for use in MIME media types.
+ For example:</p>
<example>
AddDefaultCharset utf-8
</example>
+
+ <p><code>AddDefaultCharset</code> should only be used when all
+ of the text resources to which it applies are known to be in that
+ character encoding and it is too inconvenient to label their charset
+ individually. One such example is to add the charset parameter
+ to resources containing generated content, such as legacy CGI
+ scripts, that might be vulnerable to cross-site scripting attacks
+ due to user-provided data being included in the output. Note, however,
+ that a better solution is to just fix (or delete) those scripts, since
+ setting a default charset does not protect users that have enabled
+ the "auto-detect character encoding" feature on their browser.</p>
</usage>
+<seealso><directive module="mod_mime">AddCharset</directive></seealso>
</directivesynopsis>
<directivesynopsis>
Modified: httpd/httpd/branches/2.0.x/docs/manual/mod/mod_mime.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/docs/manual/mod/mod_mime.xml?view=diff&r1=151263&r2=151264
==============================================================================
--- httpd/httpd/branches/2.0.x/docs/manual/mod/mod_mime.xml (original)
+++ httpd/httpd/branches/2.0.x/docs/manual/mod/mod_mime.xml Thu Feb 3 16:08:25 2005
@@ -235,7 +235,8 @@
<usage>
<p>The <directive>AddCharset</directive> directive maps the given
filename extensions to the specified content charset. <var>charset</var>
- is the MIME charset parameter of filenames containing
+ is the <a href="http://www.iana.org/assignments/character-sets">MIME
+ charset parameter</a> of filenames containing
<var>extension</var>. This mapping is added to any already in force,
overriding any mappings that already exist for the same
<var>extension</var>.</p>