On Fri, Jan 13, 2012 at 4:24 PM, =JeffH <jeff.hod...@kingsmountain.com> wrote: > > In terms of this question of whether the STS header field directive ABNF > should be.. > > 1) directive = token [ "=" ( token | quoted-string ) ] > > ..or.. > > 2) directive = token [ "=" token ] > > ..I can see both sides of the argument. > > However, I've been thinking about it and grepping thru specs as well as > firefox and chrome code, which has led me to think that from an overall > (specification) consistency perspective, I'm leaning towards spec'g it with > quoted-string in the ABNF (ie, as (1)). And has been pointed out in the > discussion, it is sort of a moot point because the STS header field does not > at this time make use of the quoted-string production, nor do we have on the > table any extension directives that would do so. > > In going through the FF and Chrome code, I note that both of their STS > header field parsing methods appear to be special-case and AFAICT don't make > use of other, more general HTTP header field parsing routines that are > available in both implementations, and that are used to parse other HTTP > response header fields. These latter more general HTTP header field parsing > routines appear to be used for processing various of the other HTTP response > and request header fields (and they appear to handle quoted-string). But it > isn't clear why they aren't used for STS. It also isn't clear how uniformly > these parsing routines are used for the panoply of HTTP header fields -- > some other header fields appear to be special-cased as well (tho my c++ foo > is wanting and the code is vast..). So yeah, it does seem messy.
It's definitely messy. I don't think it matters much what we write in this document. Even if we spec quoted-string, I doubt many folks will implement it. However, we can deal with that problem when it comes time to add extension values that actually used quoted-string. Adam _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec