On 01/06/2012 19:32, =JeffH wrote:
> Most of my issues were addressed in the latest version, except for
this one:
>
> > 6.1. Strict-Transport-Security HTTP Response Header Field
> >
> > 4. UAs MUST ignore any STS header fields containing directives, or
> > other header field value data, that does not conform to the
> > syntax defined in this specification.
>
> So this is saying that syntactically invalid STS header fields are
> to be ignored. This still doesn't say if unrecognized directives are to
> be ignored or not. (Because they can comply with the generic syntax for
> directives, so they would be syntactically valid, albeit unrecognized).
> So can you please add an explicit sentence about that?
Here's the text in my working copy for that item..
<t>
UAs MUST ignore any STS header fields containing
directives, or other header field value data, that does
not conform to the syntax defined in this specification.
UAs MUST also ignore any STS header fields containing
undefined directives.
</t>
Ok?
I agree with Julian: this will make the header field effectively non
extensible. And if you update the header field by adding new values, all
older implementations will start ignoring it, which is a deployment
headache.
But if the WG thinks that that is the way to go...
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
