<hat="individual">
I tend to agree with Jeff and Andy's comments.
The real use case / need for "report-only" is not fully clear to me.
Yes, it could always be nice to have one more test-case to run before
going life with a system, but IMHO I am having a hard time seeing where
this flag would really add value.
And we should not add features (and complexity) as for "report-only" to
an I-D just for the sake of it and because they might one day be
possibly help for an unclear or theoretical use-case.
Just my 5cents.
Best regards, Tobias
On 29/06/12 21:56, =JeffH wrote:
> Existence of "I am testing HSTS" directive would
> allow browsers to present debug information on HSTS succeeding/failing
> in some form (browser logs, additional debug frame, etc.)
This "report-only"/"testing" mode notion came up in WG discussion in
Paris, inspired in part on the "report-only" functionality in the
Content Security Policy spec.
The way CSP handles signaling "report-only" is via a separate header
field ("Content-Security-Policy-Report-Only"), rather than as a
directive.
Given that HSTS as presently specified is implemented in several
browsers (Chrome, Firefox, Opera12beta), and deployed by a number of
sites, we suggest finishing up the HSTS spec as is.
Then, if there's interest and energy to define a
"report-only"/"testing" mode, a fairly simple follow-on spec could be
written leveraging the original HSTS spec and defining just what's
needed for this.
=JeffH
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
