On Feb 19, 2014 6:05 PM, "Chris Palmer" <[email protected]> wrote: > > And that deployment would actually be made more confusing, not less, by > > having two analogous headers, named in the same pattern, that behave > > differently - I think that's likely to cause as much confusion as anything > > else. > > Yeah, I see that. I think I'll have to change the text to allow the > CSP-style enforce 1 policy, report on another behavior. > > So, how about this: > > <t>If a Host sets both the Public-Key-Pins header and the > Public-Key-Pins-Report-Only header, the UA MUST note and enforce Pin > Validation as specified by the Public-Key-Pins header, and SHOULD note and
"And the pins" is a typo. I'm not clear what note means in this context. You probably mean "not ignore", but I don't know the least ambiguous verb to use? In any event, I like the sentiment. > the Pins and directives given in the Public-Key-Pins-Report-Only header. If > the UA does note the Pins and directives in the Public-Key-Pins-Report-Only > header it SHOULD evaluate the specified policy and SHOULD report any > would-be Pin Validation failures that would occur if the report-only policy > were enforced.</t> (Sent on a phone)
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
