From: Roy T. Fielding Date: Sat, 11 Dec 2004 05:57:29 +0000 (+0000) Subject: Remove AddDefaultCharset from the default configuration because X-Git-Tag: 2.1.3~278 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=bbb4bfda2c4f6cfe259f5d2af719f9131f8bc45b;p=apache Remove AddDefaultCharset from the default configuration because setting a site-wide default does more harm than good. PR: 23421 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@111581 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index e9abef2e84..ffc9d164f9 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,10 @@ Changes with Apache 2.1.3 [Remove entries to the current 2.0 section below, when backported] + *) conf: Remove AddDefaultCharset from the default configuration because + setting a site-wide default does more harm than good. PR 23421. + [Roy Fielding] + Changes with Apache 2.1.2 *) mod_proxy: Respect errors reported by pre_connection hooks. diff --git a/docs/conf/httpd-std.conf.in b/docs/conf/httpd-std.conf.in index 02388110c3..3ebd84ebd7 100644 --- a/docs/conf/httpd-std.conf.in +++ b/docs/conf/httpd-std.conf.in @@ -813,18 +813,6 @@ ServerSignature On - # - # Specify a default charset for all pages sent out. This is - # always a good idea and opens the door for future internationalisation - # of your web site, should you ever want it. Specifying it as - # a default does little harm; as the standard dictates that a page - # is in iso-8859-1 (latin1) unless specified otherwise i.e. you - # are merely stating the obvious. There are also some security - # reasons in browsers, related to javascript and URL parsing - # which encourage you to always set a default char set. - # - AddDefaultCharset ISO-8859-1 - # # Commonly used filename extensions to character sets. You probably # want to avoid clashes with the language extensions, unless you diff --git a/docs/conf/httpd-win.conf b/docs/conf/httpd-win.conf index 61c0697dab..3723439cc4 100644 --- a/docs/conf/httpd-win.conf +++ b/docs/conf/httpd-win.conf @@ -758,18 +758,6 @@ LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt # ForceLanguagePriority Prefer Fallback -# -# Specify a default charset for all pages sent out. This is -# always a good idea and opens the door for future internationalisation -# of your web site, should you ever want it. Specifying it as -# a default does little harm; as the standard dictates that a page -# is in iso-8859-1 (latin1) unless specified otherwise i.e. you -# are merely stating the obvious. There are also some security -# reasons in browsers, related to javascript and URL parsing -# which encourage you to always set a default char set. -# -AddDefaultCharset ISO-8859-1 - # # Commonly used filename extensions to character sets. You probably # want to avoid clashes with the language extensions, unless you diff --git a/docs/manual/mod/core.xml b/docs/manual/mod/core.xml index 2c63f06bfc..71d6235fcb 100644 --- a/docs/manual/mod/core.xml +++ b/docs/manual/mod/core.xml @@ -139,8 +139,8 @@ available AddDefaultCharset -Default character set to be added for a -response without an explicit character set +Default charset parameter to be added when a response +content-type is "text/plain" or "text/html" AddDefaultCharset On|Off|charset AddDefaultCharset Off server config @@ -149,21 +149,36 @@ response without an explicit character set FileInfo -

This directive specifies the name of the character set that - will be added to any response that does not have any parameter on - the content type in the HTTP headers. This will override any - character set specified in the body of the document via a - META tag. A setting of AddDefaultCharset - Off disables this - functionality. AddDefaultCharset On enables - Apache's internal default charset of iso-8859-1 as - required by the directive. You can also specify an alternate - charset to be used. For example:

+

This directive specifies a default value for the media type + charset parameter (the name of a character encoding) to be added + to a response if and only if the response's content-type is either + "text/plain" or "text/html". This should override any charset + specified in the body of the document via a META tag, + though the exact behavior is often dependent on the user's client + configuration. A setting of AddDefaultCharset Off + disables this functionality. AddDefaultCharset On enables + a default charset of iso-8859-1. Any other value is assumed + to be the charset to be used, which should be one of the + IANA registered + charset values for use in MIME media types. + For example:

AddDefaultCharset utf-8 + +

AddDefaultCharset should only be used when all + of the text resources to which it applies are known to be in that + character encoding and it is too inconvenient to label their charset + individually. One such example is to add the charset parameter + to resources containing generated content, such as legacy CGI + scripts, that might be vulnerable to cross-site scripting attacks + due to user-provided data being included in the output. Note, however, + that a better solution is to just fix (or delete) those scripts, since + setting a default charset does not protect users that have enabled + the "auto-detect character encoding" feature on their browser.

 +AddCharset diff --git a/docs/manual/mod/mod_mime.xml b/docs/manual/mod/mod_mime.xml index 29f9ce6e78..b068ed837a 100644 --- a/docs/manual/mod/mod_mime.xml +++ b/docs/manual/mod/mod_mime.xml @@ -235,7 +235,8 @@ charset

The AddCharset directive maps the given filename extensions to the specified content charset. charset - is the MIME charset parameter of filenames containing + is the MIME + charset parameter of filenames containing extension. This mapping is added to any already in force, overriding any mappings that already exist for the same extension.