OK, so I thought that the
ValidateRequest stuff was a fluke, a dumb mistake - I mean no company would introduce a breaking change to a production framework...even worse you can't even
specify this in the web.config and have it work in all frameworks, well, one mistake, I can forgive that. But no, it's happened again with the
HttpRequest UnsafeHeaderParsing, put simply this stops many applications from fetching web content by
blocking 'unsafe' headers...fine idea, but it breaks existing code. Here's a crazy idea, why not make the
<httpWebRequest useUnsafeHeaderParsing=”true” /> tag required to turn this off instead
<httpWebRequest useSafeHeaderParsing=”false” /> , so leaving it out causes this 'feature' to be disabled.
I know there's an argument for 'security by default' but not if it breaks applications! It's also not obvious enough that
installing .NET 1.1 SP1 will potentially break applications .