On 2012-01-03 01:50, Adam Barth wrote:
On Mon, Jan 2, 2012 at 3:29 PM, =JeffH<[email protected]> wrote:
Julian wondered..
wouldn't it make sense to have a default for max-age so it
can be made OPTIONAL?
hm ... I lean towards keeping max-age as REQUIRED (without a default value)
and thus hopefully encouraging deployers to think a bit about this and its
ramifications, and also because its value is so site-specific in terms of a
web application's needs, deployment approach, and tolerance for downside
risk of breaking itself.
Understood. I just wanted to make sure that the simplification was
considered.
Makes sense to me. Chrome currently ignores the header if the server
doesn't specify a max-age.
Well yes, the spec says that it's invalid.
Best regards, Julian
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
