On 2012-03-24 00:01, =JeffH wrote:
[email protected] wrote:
>
> The ABNF for the Strict-Transport-Security header looks wrong. It now
> *requires* a leading ";" before the first directive.
yes, it's broken as you indicate, and you aren't the only person to have
noticed it.
I apologize (to all), I didn't thoroughly vet the suggested change to
the ABNF before incorporating it. doh.
I suspect Julian just didn't look closely at his suggestion before
posting it..
https://www.ietf.org/mail-archive/web/websec/current/msg01020.html
> I suggest the following ABNF.
>
> Strict-Transport-Security = "Strict-Transport-Security" ":"
> directive *( ";" directive )
>
> directive = [ token [ "=" ( token | quoted-string ) ] ]
Well, I've been counseled in the past (and agree with it) that having an
ABNF production that is potentially totally null is not such a good idea.
Why? (want to know :-)
Perhaps this approach addresses this problem and is closer to what
Julian intended..
Strict-Transport-Security = "Strict-Transport-Security" ":"
[ directive ] *( ";" [ directive ] )
directive = token [ "=" ( token | quoted-string ) ]
?
...
Works for me.
Reminder: if the separator character would have been "," in the first
place, you wouldn't need to think about this (->
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p1-messaging-19.html#rfc.section.3.2.5>)
Best regards, Julian
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
