[email protected] wrote:
>
> The ABNF for the Strict-Transport-Security header looks wrong. It now
> *requires* a leading ";" before the first directive.
yes, it's broken as you indicate, and you aren't the only person to have
noticed it.
I apologize (to all), I didn't thoroughly vet the suggested change to the ABNF
before incorporating it. doh.
I suspect Julian just didn't look closely at his suggestion before posting it..
https://www.ietf.org/mail-archive/web/websec/current/msg01020.html
> I suggest the following ABNF.
>
> Strict-Transport-Security = "Strict-Transport-Security" ":"
> directive *( ";" directive )
>
> directive = [ token [ "=" ( token | quoted-string ) ] ]
Well, I've been counseled in the past (and agree with it) that having an ABNF
production that is potentially totally null is not such a good idea.
Perhaps this approach addresses this problem and is closer to what Julian
intended..
Strict-Transport-Security = "Strict-Transport-Security" ":"
[ directive ] *( ";" [ directive ] )
directive = token [ "=" ( token | quoted-string ) ]
?
thanks,
=JeffH
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
