Hi there,
a few questions about the header field syntax:
Strict-Transport-Security =
"Strict-Transport-Security" ":" OWS STS-v OWS
So the header field is *not* using the RFC2616 list syntax. So you can have
Strict-Transport-Security: a; b
but *not*
Strict-Transport-Security: a
Strict-Transport-Security: b
because that would be equivalent to
Strict-Transport-Security: a, b
(is this intentional?)
Also in
; value
STS-v = STS-d
/ STS-d *( OWS ";" OWS STS-d OWS )
; STS directive
STS-d = STS-d-cur / STS-d-ext
; defined STS directives
STS-d-cur = maxAge / [ includeSubDomains ]
having includeSubDomains optional is a bit weird.
This means that the empty string would be a valid STS-d-cur, thus an
empty header field is allowed...
Best regards, Julian
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
