On 2013-02-26 11:24, Tobias Gondrom wrote:
Thanks a lot for bringing this to WG attention. It seems that I misread that point when I first wrote the draft. Actually the same is true for IE. I corrected the ABNF in the new version to reflect IE and Mozilla behavior. Best regards and thanks a lot for catching this! Tobias ...
See <https://bugzilla.mozilla.org/show_bug.cgi?id=836132#c19>:
Phil Ames (New to Bugzilla) 2013-02-26 08:00:53 PST From http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02#section-2.2 : "The values are specified as ABNF strings, and therefore are case-insensitive" and the relevant methods in the code use "[header-value].LowerCaseEqualsLiteral(...)" so they match case-insensitively. One note, I think the spec is incorrect in stating that FF/Chrome support colons in 2.2.2, Chrome has no support at all for Allow-From (just my pending patch which has the same behavior as the one that led to this bug), and obviously colons are not supported here either (and the intent seems to be to not permit them).
So I believe <http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02#section-2.2.2> needs to be fixed; in the best case by just removing it.
Best regards, Julian _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
