On Thu, Dec 29, 2011 at 1:24 PM, Julian Reschke <[email protected]> wrote:
> On 2011-12-29 22:18, Adam Barth wrote:
>> On Thu, Dec 29, 2011 at 1:13 PM, Julian Reschke<[email protected]>
>> wrote:
>>> On 2011-12-29 20:50, Adam Barth wrote:
>>>> As I wrote before, I don't think we should include quoted-string in
>>>> the grammar. As far as I know, no one has implemented it and I have
>>>> no plans to implement quoted-string in Chrome. Having quoted-string
>>>> in the grammar only leads to pain.,
>>>
>>> It would be helpful if you were more precise on the pain it causes,
>>> considering you need to process extension directives anyway...
>>
>> We've been over this several times before. The problem is the
>> requirement to balance DQUOTE and the complexities surrounding the
>> error conditions if the DQUOTEs don't balance properly (including
>> escaping).
>
> Yes, but you are avoiding the question I asked. Are you implementing
> quoted-string for extension parameters?
No.
Here's the grammar I recommend:
Strict-Transport-Security = "Strict-Transport-Security" ":"
directive *( ";" [ directive ] )
directive = max-age | includeSubDomains | STS-d-ext
max-age = "max-age" "=" delta-seconds
includeSubDomains = "includeSubDomains"
STS-d-ext = token [ "=" token ]
I would also define the precise requirements for parsing all possible
input sequences, but I understand that's not fashionable.
Adam
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
