Share

The Standardized Bug

The Specification of Being Wrong

By Nora Kaplan— March 19, 2026

Feature image for article: The Specification of Being Wrong

In 1996, the W3C published a specification telling browsers they were calculating the width of a box wrong. The browsers had shipped first. Millions of pages already depended on the "incorrect" math. Somebody had to give.

Nobody did. Instead, a workaround was introduced, then another, then a formal standard maintained by Apple, Google, Mozilla, and Microsoft — one that described, with growing precision, how the web had been wrong and why it needed to stay that way. That document is still being maintained today. The bug turned twenty-six this year.

The Standardized Bug

The Specification of Being Wrong

By Nora Kaplan— March 19, 2026

In 1996, the W3C published a specification telling browsers they were calculating the width of a box wrong. The browsers had shipped first. Millions of pages already depended on the "incorrect" math. Somebody had to give.

Nobody did. Instead, a workaround was introduced, then another, then a formal standard maintained by Apple, Google, Mozilla, and Microsoft — one that described, with growing precision, how the web had been wrong and why it needed to stay that way. That document is still being maintained today. The bug turned twenty-six this year.

The Typo That Shipped

The Typo Every Browser Still Sends

In 1995, someone on an IETF mailing list pointed out that the HTTP "Referer" header was misspelled. Phillip Hallam-Baker, who'd proposed the field, cracked a joke about Daleks. Roy Fielding noted the Unix spell checker of the era wouldn't have caught either spelling. Everyone shrugged.

By then, software already expected the exact string. RFC 2068 marked it with [sic], the scholarly notation for "yes, we know." That was 1997.

Every HTTP request your browser sent today carried the same typo. Nobody chose to preserve the error. They just chose, repeatedly, not to pay the coordination cost of fixing it.

The Typo That Shipped

The Typo Every Browser Still Sends

In 1995, someone on an IETF mailing list pointed out that the HTTP "Referer" header was misspelled. Phillip Hallam-Baker, who'd proposed the field, cracked a joke about Daleks. Roy Fielding noted the Unix spell checker of the era wouldn't have caught either spelling. Everyone shrugged.

By then, software already expected the exact string. RFC 2068 marked it with [sic], the scholarly notation for "yes, we know." That was 1997.

Every HTTP request your browser sent today carried the same typo. Nobody chose to preserve the error. They just chose, repeatedly, not to pay the coordination cost of fixing it.

TAKE NOTE

Split brain: The misspelled Referer header coexists with the correctly spelled Referrer-Policy header in every modern browser, two spellings of the same word in the same stack

Still canonical: RFC 9110, published June 2022, retains "Referer" because thirty years of deployed software turned a typo into terminology

Correction rejected: The IETF HTTP Working Group discussed fixing the spelling during the 2014 revision and declined, citing breakage across deployed systems

Pure inertia: No committee voted to keep the misspelling; each revision simply decided the cost of coordination exceeded the cost of embarrassment

Custodian of Errors

The Woman Who Keeps the Web Wrong

Custodian of Errors

The Woman Who Keeps the Web Wrong

Permanent Decisions

The Fifty-Year Byte

In the early 1970s, someone at Bell Labs made a quiet decision about how C would store text. No memo survives. That choice created the structural conditions for buffer overflow vulnerabilities, a category of harm that was understood by 1988, studied exhaustively through the 1990s, and the target of a billion-dollar defensive industry by the 2000s. None of it was enough. The flaw persisted for fifty years. Understanding arrived in the first twenty.

Permanent Decisions

The Clock Everyone Can See

At 03:14:07 UTC on January 19, 2038, a counter running since 1970 will hit its maximum value and wrap to a date in December 1901. The math is simple. The fix exists. Everyone who needs to know, knows. Y2K mobilized hundreds of billions in global remediation through deadline pressure and concentrated blame. The 2038 problem has the same clarity and none of the same urgency. Twelve years out, the gap between knowing and doing has barely narrowed.

Permanent Decisions

The Fifty-Year Byte

In the early 1970s, someone at Bell Labs made a quiet decision about how C would store text. No memo survives. That choice created the structural conditions for buffer overflow vulnerabilities, a category of harm that was understood by 1988, studied exhaustively through the 1990s, and the target of a billion-dollar defensive industry by the 2000s. None of it was enough. The flaw persisted for fifty years. Understanding arrived in the first twenty.

Permanent Decisions

The Clock Everyone Can See

At 03:14:07 UTC on January 19, 2038, a counter running since 1970 will hit its maximum value and wrap to a date in December 1901. The math is simple. The fix exists. Everyone who needs to know, knows. Y2K mobilized hundreds of billions in global remediation through deadline pressure and concentrated blame. The 2038 problem has the same clarity and none of the same urgency. Twelve years out, the gap between knowing and doing has barely narrowed.

Permanent Decisions

The Fifty-Year Byte

In the early 1970s, someone at Bell Labs made a quiet decision about how C would store text. No memo survives. That choice created the structural conditions for buffer overflow vulnerabilities, a category of harm that was understood by 1988, studied exhaustively through the 1990s, and the target of a billion-dollar defensive industry by the 2000s. None of it was enough. The flaw persisted for fifty years. Understanding arrived in the first twenty.

Permanent Decisions

The Clock Everyone Can See

At 03:14:07 UTC on January 19, 2038, a counter running since 1970 will hit its maximum value and wrap to a date in December 1901. The math is simple. The fix exists. Everyone who needs to know, knows. Y2K mobilized hundreds of billions in global remediation through deadline pressure and concentrated blame. The 2038 problem has the same clarity and none of the same urgency. Twelve years out, the gap between knowing and doing has barely narrowed.

Echoes

Echoes

The Specification of Being Wrong

The Specification of Being Wrong

The Woman Who Keeps the Web Wrong

The Woman Who Keeps the Web Wrong

The Fifty-Year Byte

The Clock Everyone Can See

The Fifty-Year Byte

The Clock Everyone Can See

The Fifty-Year Byte

The Clock Everyone Can See