On 24/03/2012 00:01, =JeffH wrote:
james.h.man...@team.telstra.com wrote:
>
> The ABNF for the Strict-Transport-Security header looks wrong. It now
> *requires* a leading ";" before the first directive.
yes, it's broken as you indicate, and you aren't the only person to
have noticed it.
I apologize (to all), I didn't thoroughly vet the suggested change to
the ABNF before incorporating it. doh.
I suspect Julian just didn't look closely at his suggestion before
posting it..
https://www.ietf.org/mail-archive/web/websec/current/msg01020.html
> I suggest the following ABNF.
>
> Strict-Transport-Security = "Strict-Transport-Security" ":"
> directive *( ";" directive )
>
> directive = [ token [ "=" ( token | quoted-string
) ] ]
Well, I've been counseled in the past (and agree with it) that having
an ABNF production that is potentially totally null is not such a good
idea.
Perhaps this approach addresses this problem and is closer to what
Julian intended..
Strict-Transport-Security = "Strict-Transport-Security" ":"
[ directive ] *( ";" [ directive ] )
directive = token [ "=" ( token | quoted-string ) ]
?
I think this is fine. And you can enforce "can't be totally null" in
prose, if you don't want to fix this in ABNF.
_______________________________________________
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec