On Thu, Dec 29, 2011 at 8:11 PM, Roy T. Fielding <[email protected]> wrote: > On Dec 29, 2011, at 5:22 PM, Adam Barth wrote: >> On Thu, Dec 29, 2011 at 5:01 PM, =JeffH <[email protected]> >> wrote: >>> Adam Barth noted: >>>> I would also define the precise requirements for parsing all possible >>>> input sequences, but I understand that's not fashionable. >>> >>> By that, you are suggesting specification of parsing algorithms as done in >>> RFC6265 "HTTP State Management Mechanism", yes? >> >> I actually think what we're doing for CSP is slightly better: >> >> http://www.w3.org/TR/CSP/#policies > > Hmm, that algorithm breaks on > > foo;;bob > > which is allowed by the associated ABNF. *shrug*
I'm not sure I understand what you think breaks about the algorithm. I've restricted the loop to non-empty tokens, which hopefully addresses your concern. > I don't think I'll ever understand why you keep promoting Ian's > mantra on specs being written as algorithms. The algorithms that > you end up placing in the specs have more bugs than the code > found in the actual implementations, and they aren't any more > formal than the ABNF. The problem is that the ABNF simply doesn't define how to handle error conditions. At least with algorithms they define the behavior. If the definition is wrong or has bugs, we can fix those bugs. Eventually the process converges to a correct definition of the behavior. Adam _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
