[websec] HSTS ABNF still broken: requires leading semi-colon

Tue, 13 Mar 2012 15:55:16 -0700 

The ABNF for the Strict-Transport-Security header looks wrong. It now 
*requires* a leading ";" before the first directive. None of the 3 examples in 
the doc <draft-ietf-websec-strict-transport-sec-06> have a leading ";".

Allowing extraneous semi-colons seems fairly pointless to me, but if we need 
them I suggest the following ABNF.

  Strict-Transport-Security = "Strict-Transport-Security" ":"
                                 directive *( ";" directive )

  directive                 = [ token [ "=" ( token | quoted-string ) ] ]

<Strict-Transport-Security> makes it obvious that the header field value is 1 
or more directives, separated by semi-colons.
The whole <directive> is optional (ie an empty string matches <directive>) so 
leading, trailing, or consecutive semi-colons in an STS header are ok — they 
separate empty directives that can be ignored.

--
James Manger


----------
From: [email protected] [mailto:[email protected]] On Behalf Of 
websec issue tracker
Sent: Saturday, 10 March 2012 3:12 AM
To: [email protected]; 
[email protected]; [email protected]
Cc: [email protected]
Subject: Re: [websec] #33: HSTS: quoted-string grammar in (extension) 
directives ?

#33: HSTS: quoted-string grammar in (extension) directives ?


Comment (by jeff.hodges@…):

 Further nits wrt STS header ABNF are in the thread rooted here..

 [websec] STS ABNF, was: new rev: draft-ietf-websec-strict-transport-sec-04
 https://www.ietf.org/mail-archive/web/websec/current/msg01020.html

 the crux being..

    STS: foo ;

 parses, but

    STS: ; foo

 does not. This could be fixed by saying:

       Strict-Transport-Security = "Strict-Transport-Security" ":"
                                   *( ";" [ directive ] )

-- 
-------------------------+-------------------------------------------------
 Reporter:               |       Owner:  draft-ietf-websec-strict-
  jeff.hodges@…          |  transport-sec@…
     Type:  defect       |      Status:  new
 Priority:  major        |   Milestone:
Component:  strict-      |     Version:
  transport-sec          |  Resolution:
 Severity:  Active WG    |
  Document               |
 Keywords:               |
-------------------------+-------------------------------------------------

Ticket URL: <http://trac.tools.ietf.org/wg/websec/trac/ticket/33#comment:3>
websec <http://tools.ietf.org/websec/>


_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec

Reply via email to