>> >> sections 6.1.1 and 6.1.2 describe the syntax particular to max-age and
>> >> includeSubDomains directives, and neither of those directives employ
>> >> quoted-string, and I don't think they need to or should.
>> >
>> > I think they should, because it's likely that people will write parses
>> > that allow both, thus you'll have an automated (and totally unneeded)
>> > interoperatility problem.
>>
>> Well, i'm not terribly convinced about this, especially given my code
>> reconnaissance in Firefox and Chrome.
>
> When you checked Firefox, did it support quoted-string for extension
> directives? See?
I am not sure what you mean by "See?" -- the parsers for STS header in both
firefox and chrome are one-off hand-coded specific parsers, for better or worse
(I'm not sure why they were done that way), and neither one supports
quoted-string for anything in the STS header IIRC.
That said, given the present definitions of the STS directives...
max-age = "max-age" "=" delta-seconds
delta-seconds = <1*DIGIT, defined in [RFC2616], Section 3.3.2>
includeSubDomains = "includeSubDomains"
I'm not sure how to cleanly and unambiguously define them in terms of both
token and quoted-string (and retain max-age's basis on delta-seconds). Perhaps
you could propose how to do this?
Also, we need to consciously realize that even if we define it in this fancier
way in the spec, the present HSTS implementations won't match this, and may
never do so. i.e. yes, you can submit bugs and wait and see what happens.
=JeffH
ps...
>> > I think they should, because it's likely that people will write parses
>> > that allow both,
I think "likely" should in reality be "may" in the above. There's a ton of
parsers already written (firefox alone has several different ones apparently
from what I can discern) that don't follow the (relatively recent) "parse
parameter values in both token and quoted string forms" mantra.
And so you're hoping both that existing parsers get updated to follow the
general guidelines in "3.1 Considerations for Creating Header Fields"
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-19.html#rfc.section.3.1>,
and that new ones also adhere to said considerations.
_______________________________________________
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec
