conf: Remove AddDefaultCharset from the default configuration because

      setting a site-wide default does more harm than good.

MFC: 111581
PR: 23421
Reviewed by: fielding, erikabele, jerenkrantz

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@151264 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 5e7689bdd622cfdfee8ed8278ecd7a2470d1c698..bc7edcc70d30467125351384a733a71c4e2f4653 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,9 @@
 Changes with Apache 2.0.53
 
+  *) conf: Remove AddDefaultCharset from the default configuration because
+     setting a site-wide default does more harm than good. PR 23421.
+     [Roy Fielding]
+
   *) Add charset to example CGI scripts.  [Roy Fielding]
 
   *) mod_ssl: fail quickly if SSL connection is aborted rather than

diff --git a/docs/conf/httpd-std.conf.in b/docs/conf/httpd-std.conf.in
index 32cc2d7c8297440d281644407f70a28f67b8525e..ca6bf17c1e6975bad6a63bbb0c4804f9bd3c580d 100644 (file)
--- a/docs/conf/httpd-std.conf.in
+++ b/docs/conf/httpd-std.conf.in
@@ -770,18 +770,6 @@ LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt
 #
 ForceLanguagePriority Prefer Fallback
 
-#
-# Specify a default charset for all pages sent out. This is
-# always a good idea and opens the door for future internationalisation
-# of your web site, should you ever want it. Specifying it as
-# a default does little harm; as the standard dictates that a page
-# is in iso-8859-1 (latin1) unless specified otherwise i.e. you
-# are merely stating the obvious. There are also some security
-# reasons in browsers, related to javascript and URL parsing
-# which encourage you to always set a default char set.
-#
-AddDefaultCharset ISO-8859-1
-
 #
 # Commonly used filename extensions to character sets. You probably
 # want to avoid clashes with the language extensions, unless you

diff --git a/docs/conf/httpd-win.conf b/docs/conf/httpd-win.conf
index 5f32babb6d9eaf372f68348606b13f70ea495b77..6163b8bb5eab6dfed14f0d19c83ffab3e0868e94 100644 (file)
--- a/docs/conf/httpd-win.conf
+++ b/docs/conf/httpd-win.conf
@@ -688,18 +688,6 @@ LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt
 #
 ForceLanguagePriority Prefer Fallback
 
-#
-# Specify a default charset for all pages sent out. This is
-# always a good idea and opens the door for future internationalisation
-# of your web site, should you ever want it. Specifying it as
-# a default does little harm; as the standard dictates that a page
-# is in iso-8859-1 (latin1) unless specified otherwise i.e. you
-# are merely stating the obvious. There are also some security
-# reasons in browsers, related to javascript and URL parsing
-# which encourage you to always set a default char set.
-#
-AddDefaultCharset ISO-8859-1
-
 #
 # Commonly used filename extensions to character sets. You probably
 # want to avoid clashes with the language extensions, unless you

diff --git a/docs/manual/mod/core.xml b/docs/manual/mod/core.xml
index ca0e6923c58b21e90f663213cd1c528eb9bd2895..0e3591c4f88ec60cb9af3874c9be8ee28fd0c3b4 100644 (file)
--- a/docs/manual/mod/core.xml
+++ b/docs/manual/mod/core.xml
@@ -139,8 +139,8 @@ available</description>
 
 <directivesynopsis>
 <name>AddDefaultCharset</name>
-<description>Default character set to be added for a
-response without an explicit character set</description>
+<description>Default charset parameter to be added when a response
+content-type is "text/plain" or "text/html"</description>
 <syntax>AddDefaultCharset On|Off|<var>charset</var></syntax>
 <default>AddDefaultCharset Off</default>
 <contextlist><context>server config</context>
@@ -149,21 +149,36 @@ response without an explicit character set</description>
 <override>FileInfo</override>
 
 <usage>
-    <p>This directive specifies the name of the character set that
-    will be added to any response that does not have any parameter on
-    the content type in the HTTP headers. This will override any
-    character set specified in the body of the document via a
-    <code>META</code> tag. A setting of <code>AddDefaultCharset
-    Off</code> disables this
-    functionality. <code>AddDefaultCharset On</code> enables
-    Apache's internal default charset of <code>iso-8859-1</code> as
-    required by the directive. You can also specify an alternate
-    <var>charset</var> to be used. For example:</p>
+    <p>This directive specifies a default value for the media type
+    charset parameter (the name of a character encoding) to be added
+    to a response if and only if the response's content-type is either
+    "text/plain" or "text/html".  This should override any charset
+    specified in the body of the document via a <code>META</code> tag,
+    though the exact behavior is often dependent on the user's client
+    configuration. A setting of <code>AddDefaultCharset Off</code>
+    disables this functionality. <code>AddDefaultCharset On</code> enables
+    a default charset of <code>iso-8859-1</code>. Any other value is assumed
+    to be the <var>charset</var> to be used, which should be one of the
+    <a href="http://www.iana.org/assignments/character-sets">IANA registered
+    charset values</a> for use in MIME media types.
+    For example:</p>
 
     <example>
       AddDefaultCharset utf-8
     </example>
+
+    <p><code>AddDefaultCharset</code> should only be used when all
+    of the text resources to which it applies are known to be in that
+    character encoding and it is too inconvenient to label their charset
+    individually. One such example is to add the charset parameter
+    to resources containing generated content, such as legacy CGI
+    scripts, that might be vulnerable to cross-site scripting attacks
+    due to user-provided data being included in the output.  Note, however,
+    that a better solution is to just fix (or delete) those scripts, since
+    setting a default charset does not protect users that have enabled
+    the "auto-detect character encoding" feature on their browser.</p>
 </usage>
+<seealso><directive module="mod_mime">AddCharset</directive></seealso>
 </directivesynopsis>
 
 <directivesynopsis>

diff --git a/docs/manual/mod/mod_mime.xml b/docs/manual/mod/mod_mime.xml
index 29f9ce6e78d1da606e92ce29a6e9a8dc9e5bb868..b068ed837a9af22a5792adaeacb05cbdcfeb4b70 100644 (file)
--- a/docs/manual/mod/mod_mime.xml
+++ b/docs/manual/mod/mod_mime.xml
@@ -235,7 +235,8 @@ charset</description>
 <usage>
     <p>The <directive>AddCharset</directive> directive maps the given
     filename extensions to the specified content charset. <var>charset</var>
-    is the MIME charset parameter of filenames containing
+    is the <a href="http://www.iana.org/assignments/character-sets">MIME
+    charset parameter</a> of filenames containing
     <var>extension</var>. This mapping is added to any already in force,
     overriding any mappings that already exist for the same
     <var>extension</var>.</p>