On Thu, Dec 29, 2011 at 1:38 PM, Julian Reschke <[email protected]> wrote: > On 2011-12-29 22:32, Adam Barth wrote: >> >> On Thu, Dec 29, 2011 at 1:24 PM, Julian Reschke<[email protected]> >> wrote: >>> >>> On 2011-12-29 22:18, Adam Barth wrote: >>>> >>>> On Thu, Dec 29, 2011 at 1:13 PM, Julian Reschke<[email protected]> >>>> wrote: >>>>> >>>>> On 2011-12-29 20:50, Adam Barth wrote: >>>>>> >>>>>> As I wrote before, I don't think we should include quoted-string in >>>>>> the grammar. As far as I know, no one has implemented it and I have >>>>>> no plans to implement quoted-string in Chrome. Having quoted-string >>>>>> in the grammar only leads to pain., >>>>> >>>>> >>>>> It would be helpful if you were more precise on the pain it causes, >>>>> considering you need to process extension directives anyway... >>>> >>>> >>>> We've been over this several times before. The problem is the >>>> requirement to balance DQUOTE and the complexities surrounding the >>>> error conditions if the DQUOTEs don't balance properly (including >>>> escaping). >>> >>> >>> Yes, but you are avoiding the question I asked. Are you implementing >>> quoted-string for extension parameters? >> >> >> No. >> >> Here's the grammar I recommend: >> >> Strict-Transport-Security = "Strict-Transport-Security" ":" >> directive *( ";" [ directive ] ) >> >> directive = max-age | includeSubDomains | STS-d-ext >> max-age = "max-age" "=" delta-seconds >> includeSubDomains = "includeSubDomains" >> STS-d-ext = token [ "=" token ] >> >> I would also define the precise requirements for parsing all possible >> input sequences, but I understand that's not fashionable. > > Ack. This is at least consistent. > > That being said, I disagree. token=quoted-string is widely implemented, and > if there are clients not getting it right we should fix them. > > If you are aware of specific clients having this problem please list them so > we can open bug reports.
Chrome does not (and will not) implement quoted-string for the STS header for the reasons I've explained previously. You're welcome to file bugs, but I'm just going to close them WONTFIX. Adam _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
