Remove AddDefaultCharset from the default configuration because

royfielding · royfielding · commit 8d5c6107a9ee · 2004-12-11T05:57:29.000Z
setting a site-wide default does more harm than good. PR: 23421 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@111581 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/CHANGES b/CHANGES
@@ -2,6 +2,10 @@ Changes with Apache 2.1.3
 
   [Remove entries to the current 2.0 section below, when backported]
 
+  *) conf: Remove AddDefaultCharset from the default configuration because
+     setting a site-wide default does more harm than good. PR 23421.
+     [Roy Fielding]
+
 Changes with Apache 2.1.2
 
   *) mod_proxy: Respect errors reported by pre_connection hooks.
diff --git a/docs/conf/httpd-std.conf.in b/docs/conf/httpd-std.conf.in
@@ -813,18 +813,6 @@ ServerSignature On
 </IfModule>
 
 <IfModule mod_mime.c>
-    #
-    # Specify a default charset for all pages sent out. This is
-    # always a good idea and opens the door for future internationalisation
-    # of your web site, should you ever want it. Specifying it as
-    # a default does little harm; as the standard dictates that a page
-    # is in iso-8859-1 (latin1) unless specified otherwise i.e. you
-    # are merely stating the obvious. There are also some security
-    # reasons in browsers, related to javascript and URL parsing
-    # which encourage you to always set a default char set.
-    #
-    AddDefaultCharset ISO-8859-1
-
     #
     # Commonly used filename extensions to character sets. You probably
     # want to avoid clashes with the language extensions, unless you
diff --git a/docs/conf/httpd-win.conf b/docs/conf/httpd-win.conf
@@ -758,18 +758,6 @@ LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt
 #
 ForceLanguagePriority Prefer Fallback
 
-#
-# Specify a default charset for all pages sent out. This is
-# always a good idea and opens the door for future internationalisation
-# of your web site, should you ever want it. Specifying it as
-# a default does little harm; as the standard dictates that a page
-# is in iso-8859-1 (latin1) unless specified otherwise i.e. you
-# are merely stating the obvious. There are also some security
-# reasons in browsers, related to javascript and URL parsing
-# which encourage you to always set a default char set.
-#
-AddDefaultCharset ISO-8859-1
-
 #
 # Commonly used filename extensions to character sets. You probably
 # want to avoid clashes with the language extensions, unless you
diff --git a/docs/manual/mod/core.xml b/docs/manual/mod/core.xml
@@ -139,8 +139,8 @@ available</description>
 
 <directivesynopsis>
 <name>AddDefaultCharset</name>
-<description>Default character set to be added for a
-response without an explicit character set</description>
+<description>Default charset parameter to be added when a response
+content-type is "text/plain" or "text/html"</description>
 <syntax>AddDefaultCharset On|Off|<var>charset</var></syntax>
 <default>AddDefaultCharset Off</default>
 <contextlist><context>server config</context>
@@ -149,21 +149,36 @@ response without an explicit character set</description>
 <override>FileInfo</override>
 
 <usage>
-    <p>This directive specifies the name of the character set that
-    will be added to any response that does not have any parameter on
-    the content type in the HTTP headers. This will override any
-    character set specified in the body of the document via a
-    <code>META</code> tag. A setting of <code>AddDefaultCharset
-    Off</code> disables this
-    functionality. <code>AddDefaultCharset On</code> enables
-    Apache's internal default charset of <code>iso-8859-1</code> as
-    required by the directive. You can also specify an alternate
-    <var>charset</var> to be used. For example:</p>
+    <p>This directive specifies a default value for the media type
+    charset parameter (the name of a character encoding) to be added
+    to a response if and only if the response's content-type is either
+    "text/plain" or "text/html".  This should override any charset
+    specified in the body of the document via a <code>META</code> tag,
+    though the exact behavior is often dependent on the user's client
+    configuration. A setting of <code>AddDefaultCharset Off</code>
+    disables this functionality. <code>AddDefaultCharset On</code> enables
+    a default charset of <code>iso-8859-1</code>. Any other value is assumed
+    to be the <var>charset</var> to be used, which should be one of the
+    <a href="http://www.iana.org/assignments/character-sets">IANA registered
+    charset values</a> for use in MIME media types.
+    For example:</p>
 
     <example>
       AddDefaultCharset utf-8
     </example>
+
+    <p><code>AddDefaultCharset</code> should only be used when all
+    of the text resources to which it applies are known to be in that
+    character encoding and it is too inconvenient to label their charset
+    individually. One such example is to add the charset parameter
+    to resources containing generated content, such as legacy CGI
+    scripts, that might be vulnerable to cross-site scripting attacks
+    due to user-provided data being included in the output.  Note, however,
+    that a better solution is to just fix (or delete) those scripts, since
+    setting a default charset does not protect users that have enabled
+    the "auto-detect character encoding" feature on their browser.</p>
 </usage>
+<seealso><directive module="mod_mime">AddCharset</directive></seealso>
 </directivesynopsis>
 
 <directivesynopsis>
diff --git a/docs/manual/mod/mod_mime.xml b/docs/manual/mod/mod_mime.xml
@@ -235,7 +235,8 @@ charset</description>
 <usage>
     <p>The <directive>AddCharset</directive> directive maps the given
     filename extensions to the specified content charset. <var>charset</var>
-    is the MIME charset parameter of filenames containing
+    is the <a href="http://www.iana.org/assignments/character-sets">MIME
+    charset parameter</a> of filenames containing
     <var>extension</var>. This mapping is added to any already in force,
     overriding any mappings that already exist for the same
     <var>extension</var>.</p>
