* Julian Reschke wrote: >> Strict-Transport-Security = "Strict-Transport-Security" ":" >> directive *( ";" [ directive ] ) >> >> STS directives: >> >> directive = max-age | includeSubDomains | STS-d-ext >> >> max-age = "max-age" "=" delta-seconds > >What happens with > > max-age="1" > >? > >Do you expect all recipients to reject this? Depending on the parsing >API they use they might not even know that the value was quoted on the wire.
That doesn't matter much really, if you include relevant edge cases in the specification along with the expected behavior, you are virtually guaranteed that such issues are discovered quickly as implementers and testers will start with what is in the specification to find problems, and it's much less likely that APIs make it very difficult to implement the right behavior at least compared to telling the difference between <x/> and <x /> in an XML document using some XML parser API, as far as my experience with HTTP APIs goes anyway. -- Björn Höhrmann · mailto:[email protected] · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
