On Mon, Jan 2, 2012 at 3:29 PM, =JeffH <[email protected]> wrote: > Julian wondered.. >> >> wouldn't it make sense to have a default for max-age so it >> can be made OPTIONAL? > > hm ... I lean towards keeping max-age as REQUIRED (without a default value) > and thus hopefully encouraging deployers to think a bit about this and its > ramifications, and also because its value is so site-specific in terms of a > web application's needs, deployment approach, and tolerance for downside > risk of breaking itself.
Makes sense to me. Chrome currently ignores the header if the server doesn't specify a max-age. Adam _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
