On 2012-06-01 20:32, =JeffH wrote:
> Most of my issues were addressed in the latest version, except for
this one:
>
> > 6.1. Strict-Transport-Security HTTP Response Header Field
> >
> > 4. UAs MUST ignore any STS header fields containing directives, or
> > other header field value data, that does not conform to the
> > syntax defined in this specification.
>
> So this is saying that syntactically invalid STS header fields are
> to be ignored. This still doesn't say if unrecognized directives are to
> be ignored or not. (Because they can comply with the generic syntax for
> directives, so they would be syntactically valid, albeit unrecognized).
> So can you please add an explicit sentence about that?
Here's the text in my working copy for that item..
<t>
UAs MUST ignore any STS header fields containing
directives, or other header field value data, that does
not conform to the syntax defined in this specification.
UAs MUST also ignore any STS header fields containing
undefined directives.
</t>
Ok?
...
That makes it basically impossible to add extensions; is that intended?
Best regards, Julian
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
