> On 2012-03-09 00:41, =JeffH wrote:
>> Thanks for the review Julian,
>>
>> > The ABNF now is:
>> >
>> > Strict-Transport-Security = "Strict-Transport-Security" ":"
>> > directive *( ";" [ directive ] )
>> >
>> >
>> > directive = token [ "=" ( token | quoted-string ) ]
>> >
>> > ...and I think this is almost right.
>> >
>> > It does allow empty directives (thus repeated or trailing semicolons),
>> > but not leading semicolons.
>> >
>> > So
>> >
>> > STS: foo ;
>> >
>> > parses, but
>> >
>> > STS: ; foo
>> >
>> > does not.
>>
>> well, I guess a question is whether we want "STS: ; foo " to "parse" ?
>>
>> I'm not sure we do, but can be convinced otherwise.
>
> Well, either be permissive with respect to superfluous delimiters or
> don't; but allowing them in once place but not the other?
yeah, seems fine, I'll make that change. the language describing the specifics
of the presently defined directives addresses their cardinality and
required/optional presence.
>> > For 6.1.1 and 6.1.2, we still need to decide whether a) quoted-string
>> > should be legal here (I understand that's
>> > <http://trac.tools.ietf.org/wg/websec/trac/ticket/33>)
>>
>> sections 6.1.1 and 6.1.2 describe the syntax particular to max-age and
>> includeSubDomains directives, and neither of those directives employ
>> quoted-string, and I don't think they need to or should.
>
> I think they should, because it's likely that people will write parses
> that allow both, thus you'll have an automated (and totally unneeded)
> interoperatility problem.
Well, i'm not terribly convinced about this, especially given my code
reconnaissance in Firefox and Chrome. The spec clearly states what the syntax
is for those directives and it doesn't encompass quoted-string variants of the
values for max-age and delta-seconds. I think adding something like that will
needlessly complicate the spec, so I respectfully decline to make such a change.
best regards,
=JeffH
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
