Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
Message-ID: <20050204000827.51572.qmail@minotaur.apache.org>
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Date: Fri, 04 Feb 2005 00:08:27 -0000
Subject: svn commit: r151264 - in httpd/httpd/branches/2.0.x: CHANGES
 docs/conf/httpd-std.conf.in docs/conf/httpd-win.conf
 docs/manual/mod/core.xml docs/manual/mod/mod_mime.xml
To: cvs@httpd.apache.org
From: jerenkrantz@apache.org

Author: jerenkrantz
Date: Thu Feb  3 16:08:25 2005
New Revision: 151264

URL: http://svn.apache.org/viewcvs?view=3Drev&rev=3D151264
Log:
conf: Remove AddDefaultCharset from the default configuration because
      setting a site-wide default does more harm than good.

MFC: 111581
PR: 23421
Reviewed by: fielding, erikabele, jerenkrantz

Modified:
    httpd/httpd/branches/2.0.x/CHANGES
    httpd/httpd/branches/2.0.x/docs/conf/httpd-std.conf.in
    httpd/httpd/branches/2.0.x/docs/conf/httpd-win.conf
    httpd/httpd/branches/2.0.x/docs/manual/mod/core.xml
    httpd/httpd/branches/2.0.x/docs/manual/mod/mod_mime.xml

Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/CHANGES?view=
=3Ddiff&r1=3D151263&r2=3D151264
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- httpd/httpd/branches/2.0.x/CHANGES (original)
+++ httpd/httpd/branches/2.0.x/CHANGES Thu Feb  3 16:08:25 2005
@@ -1,5 +1,9 @@
 Changes with Apache 2.0.53
=20
+  *) conf: Remove AddDefaultCharset from the default configuration because
+     setting a site-wide default does more harm than good. PR 23421.
+     [Roy Fielding]
+
   *) Add charset to example CGI scripts.  [Roy Fielding]
=20
   *) mod_ssl: fail quickly if SSL connection is aborted rather than

Modified: httpd/httpd/branches/2.0.x/docs/conf/httpd-std.conf.in
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/docs/conf/htt=
pd-std.conf.in?view=3Ddiff&r1=3D151263&r2=3D151264
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- httpd/httpd/branches/2.0.x/docs/conf/httpd-std.conf.in (original)
+++ httpd/httpd/branches/2.0.x/docs/conf/httpd-std.conf.in Thu Feb  3 16:08=
:25 2005
@@ -771,18 +771,6 @@
 ForceLanguagePriority Prefer Fallback
=20
 #
-# Specify a default charset for all pages sent out. This is
-# always a good idea and opens the door for future internationalisation
-# of your web site, should you ever want it. Specifying it as
-# a default does little harm; as the standard dictates that a page
-# is in iso-8859-1 (latin1) unless specified otherwise i.e. you
-# are merely stating the obvious. There are also some security
-# reasons in browsers, related to javascript and URL parsing
-# which encourage you to always set a default char set.
-#
-AddDefaultCharset ISO-8859-1
-
-#
 # Commonly used filename extensions to character sets. You probably
 # want to avoid clashes with the language extensions, unless you
 # are good at carefully testing your setup after each change.

Modified: httpd/httpd/branches/2.0.x/docs/conf/httpd-win.conf
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/docs/conf/htt=
pd-win.conf?view=3Ddiff&r1=3D151263&r2=3D151264
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- httpd/httpd/branches/2.0.x/docs/conf/httpd-win.conf (original)
+++ httpd/httpd/branches/2.0.x/docs/conf/httpd-win.conf Thu Feb  3 16:08:25=
 2005
@@ -689,18 +689,6 @@
 ForceLanguagePriority Prefer Fallback
=20
 #
-# Specify a default charset for all pages sent out. This is
-# always a good idea and opens the door for future internationalisation
-# of your web site, should you ever want it. Specifying it as
-# a default does little harm; as the standard dictates that a page
-# is in iso-8859-1 (latin1) unless specified otherwise i.e. you
-# are merely stating the obvious. There are also some security
-# reasons in browsers, related to javascript and URL parsing
-# which encourage you to always set a default char set.
-#
-AddDefaultCharset ISO-8859-1
-
-#
 # Commonly used filename extensions to character sets. You probably
 # want to avoid clashes with the language extensions, unless you
 # are good at carefully testing your setup after each change.

Modified: httpd/httpd/branches/2.0.x/docs/manual/mod/core.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/docs/manual/m=
od/core.xml?view=3Ddiff&r1=3D151263&r2=3D151264
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- httpd/httpd/branches/2.0.x/docs/manual/mod/core.xml (original)
+++ httpd/httpd/branches/2.0.x/docs/manual/mod/core.xml Thu Feb  3 16:08:25=
 2005
@@ -139,8 +139,8 @@
=20
 <directivesynopsis>
 <name>AddDefaultCharset</name>
-<description>Default character set to be added for a
-response without an explicit character set</description>
+<description>Default charset parameter to be added when a response
+content-type is "text/plain" or "text/html"</description>
 <syntax>AddDefaultCharset On|Off|<var>charset</var></syntax>
 <default>AddDefaultCharset Off</default>
 <contextlist><context>server config</context>
@@ -149,21 +149,36 @@
 <override>FileInfo</override>
=20
 <usage>
-    <p>This directive specifies the name of the character set that
-    will be added to any response that does not have any parameter on
-    the content type in the HTTP headers. This will override any
-    character set specified in the body of the document via a
-    <code>META</code> tag. A setting of <code>AddDefaultCharset
-    Off</code> disables this
-    functionality. <code>AddDefaultCharset On</code> enables
-    Apache's internal default charset of <code>iso-8859-1</code> as
-    required by the directive. You can also specify an alternate
-    <var>charset</var> to be used. For example:</p>
+    <p>This directive specifies a default value for the media type
+    charset parameter (the name of a character encoding) to be added
+    to a response if and only if the response's content-type is either
+    "text/plain" or "text/html".  This should override any charset
+    specified in the body of the document via a <code>META</code> tag,
+    though the exact behavior is often dependent on the user's client
+    configuration. A setting of <code>AddDefaultCharset Off</code>
+    disables this functionality. <code>AddDefaultCharset On</code> enables
+    a default charset of <code>iso-8859-1</code>. Any other value is assum=
ed
+    to be the <var>charset</var> to be used, which should be one of the
+    <a href=3D"http://www.iana.org/assignments/character-sets">IANA regist=
ered
+    charset values</a> for use in MIME media types.
+    For example:</p>
=20
     <example>
       AddDefaultCharset utf-8
     </example>
+
+    <p><code>AddDefaultCharset</code> should only be used when all
+    of the text resources to which it applies are known to be in that
+    character encoding and it is too inconvenient to label their charset
+    individually. One such example is to add the charset parameter
+    to resources containing generated content, such as legacy CGI
+    scripts, that might be vulnerable to cross-site scripting attacks
+    due to user-provided data being included in the output.  Note, however,
+    that a better solution is to just fix (or delete) those scripts, since
+    setting a default charset does not protect users that have enabled
+    the "auto-detect character encoding" feature on their browser.</p>
 </usage>
+<seealso><directive module=3D"mod_mime">AddCharset</directive></seealso>
 </directivesynopsis>
=20
 <directivesynopsis>

Modified: httpd/httpd/branches/2.0.x/docs/manual/mod/mod_mime.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/docs/manual/m=
od/mod_mime.xml?view=3Ddiff&r1=3D151263&r2=3D151264
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- httpd/httpd/branches/2.0.x/docs/manual/mod/mod_mime.xml (original)
+++ httpd/httpd/branches/2.0.x/docs/manual/mod/mod_mime.xml Thu Feb  3 16:0=
8:25 2005
@@ -235,7 +235,8 @@
 <usage>
     <p>The <directive>AddCharset</directive> directive maps the given
     filename extensions to the specified content charset. <var>charset</va=
r>
-    is the MIME charset parameter of filenames containing
+    is the <a href=3D"http://www.iana.org/assignments/character-sets">MIME
+    charset parameter</a> of filenames containing
     <var>extension</var>. This mapping is added to any already in force,
     overriding any mappings that already exist for the same
     <var>extension</var>.</p>