On Fri, Dec 30, 2011 at 12:53 AM, Julian Reschke <[email protected]> wrote: > On 2011-12-30 09:46, Adam Barth wrote: >> >> On Fri, Dec 30, 2011 at 12:18 AM, Julian Reschke<[email protected]> >> wrote: >>> >>> On 2011-12-29 22:45, Adam Barth wrote: >>>> >>>> Chrome does not (and will not) implement quoted-string for the STS >>>> header for the reasons I've explained previously. You're welcome to >>>> file bugs, but I'm just going to close them WONTFIX. >>> >>> So your code intentionally is non-compliant with STS. >>> >>> I note that you are both a WG member and also listed as one of the >>> authors >>> of the spec. Don't you think that this puts you into a strange position? >> >> Not really. IMHO, we should just change the spec. > > If you believe that support for quoted-string in extension directives is the > wrong thing to do, please go ahead and lobby for a change.
Using quoted-string in the extension directive is the wrong thing to do. Because none of the actual directives use quoted-string, folks are likely to write parsers that don't handle all the complexities of quoted-string (which are legion). That means when we go to actually use quoted-string in a future directive, it won't actually work in many user agents. On the other hand, if we spec the extension directives without quoted-string, future extensions will work even if folks mistakenly implement quote-string (because DQUOTE is forbidden in the extension syntax I suggested above, so we'll never trigger the mistaken quoted-string parsing code). Everyone lives a happy life. Anyway, it's all somewhat of a moot point because the above will happen regardless of what we write in the spec. Even if we write quoted-string, when folks attempt to use these extension directives in the future, they'll find that they don't work and they'll update the syntax not to use quoted-string. Adam _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
