> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On Behalf Of
> =JeffH
> Sent: Wednesday, May 02, 2012 1:39 PM
> To: IETF WebSec WG
> Subject: [websec] new rev: draft-ietf-websec-strict-transport-sec-07
>
> New rev:
> https://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-07
The ABNF is better but still doesn't allow for whitespace. In particular, your
example:
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
...does not match the current ABNF:
Strict-Transport-Security = "Strict-Transport-Security" ":"
[ directive ] *( ";" [ directive ] )
directive = token [ "=" ( token | quoted-string ) ]
where:
token = <token, defined in [RFC2616], Section 2.2>
quoted-string = <quoted-string, defined in [RFC2616], Section 2.2>
In RFC2616, "token" is defined as:
token = 1*<any CHAR except CTLs or separators>
separators = "(" | ")" | "<" | ">" | "@"
| "," | ";" | ":" | "\" | <">
| "/" | "[" | "]" | "?" | "="
| "{" | "}" | SP | HT
So all the spaces after the colon are not currently valid. I didn't know if
you wanted to take the spaces out or allow them (probably the latter), so
perhaps this is what you're after:
directive = *( SP | HT ) token *( SP | HT ) [ "=" ( token | *( SP | HT
) quoted-string ) ]
-MSK
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
