Hi there,
Looking at
<http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-03>.
I note that the spec doesn't state what ABNF syntax it uses; something
like <http://greenbytes.de/tech/webdav/rfc5988.html#rfc.section.2.p.2>
should be added.
Now for the actual ABNF
(<http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-03#section-5.1>):
Strict-Transport-Security = "Strict-Transport-Security" ":"
directive *( ";" [ directive ] )
This works for me.
directive = max-age | includeSubDomains | STS-d-ext
max-age = "max-age" "=" delta-seconds
includeSubDomains = "includeSubDomains"
STS-d-ext = token [ "=" ( token | quoted-string ) ]
I would turn that around; a parser for STS should parse all directives
the same way, thus:
directive = token [ "=" ( token | quoted-string ) ]
And then state that this spec defines two directives, and future specs
can define more (maybe you need to state how to do that; "update" this
spec? Add registry?)
Then, for max-age and includeSubDomains, define their individual syntax
separately, and don't forget to describe what to do with things like:
includeSubDomains="true"
or
max-age
or
max-age="10"
Also:
The max-age directive MUST appear once in the Strict-Transport-
Security header field value. The includeSubDomains directive MAY
appear once. The order of appearance of directives in the Strict-
Transport-Security header field value is not significant.
It would be better to state that *each* directive (including future
ones) must appear only once, and that max-age is REQUIRED and
includeSubDomains is OPTIONAL.
(BTW: wouldn't it make sense to have a default for max-age so it can be
made OPTIONAL?)
Best regards, Julian
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
