On 2012-03-09 00:41, =JeffH wrote:
Thanks for the review Julian,
> The ABNF now is:
>
> Strict-Transport-Security = "Strict-Transport-Security" ":"
> directive *( ";" [ directive ] )
>
>
> directive = token [ "=" ( token | quoted-string ) ]
>
> ...and I think this is almost right.
>
> It does allow empty directives (thus repeated or trailing semicolons),
> but not leading semicolons.
>
> So
>
> STS: foo ;
>
> parses, but
>
> STS: ; foo
>
> does not.
well, I guess a question is whether we want "STS: ; foo " to "parse" ?
I'm not sure we do, but can be convinced otherwise.
Part of the intention of the above ABNF is that the STS header must have
at least one directive (i.e. max-age - given the constraints in the
prose following the ABNF)
I suppose what you're trying to say is that all of the below ought to
"parse" successfully...
STS: max-age=nnnnnn
STS: max-age=nnnnnn
STS: max-age=nnnnnn ;
STS: max-age=nnnnnn ; ; ;
STS: ; max-age=nnnnnn
STS: ; ; ; max-age=nnnnnn
STS: ; ; ; max-age=nnnnnn ; ; ;
?
Well, either be permissive with respect to superfluous delimiters or
don't; but allowing them in once place but not the other?
> This could be fixed by saying:
>
> Strict-Transport-Security = "Strict-Transport-Security" ":"
> *( ";" [ directive ] )
>
Yes, that's allow for the constructions above, along with (at most one
instance of) includeSubDomains being interspersed between any of the
semicolons.
> I like the subsequent prose about the additional constraints.
good :)
> For 6.1.1 and 6.1.2, we still need to decide whether a) quoted-string
> should be legal here (I understand that's
> <http://trac.tools.ietf.org/wg/websec/trac/ticket/33>)
sections 6.1.1 and 6.1.2 describe the syntax particular to max-age and
includeSubDomains directives, and neither of those directives employ
quoted-string, and I don't think they need to or should.
I think they should, because it's likely that people will write parses
that allow both, thus you'll have an automated (and totally unneeded)
interoperatility problem.
I conceded to add quoted-string syntax to the generic directive syntax of..
directive = token [ "=" ( token | quoted-string ) ]
..in case someone at some time wishes to add an extension directive
employing quoted-string syntax.
Are you saying that sections 6.1.1 and 6.1.2 need to explicitly declare
non-use of quoted-string ? Presently it's implied by the declared ABNF
The opposite.
...
Best regards, Julian
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
