![(please configure the [header_logo] section in trac.ini)](https://www.ietf.org/images/ietflogotrans.gif)
Opened 10 years ago
Closed 10 years ago
#33 closed defect (fixed)
HSTS: quoted-string grammar in (extension) directives ?
| Reported by: | jeff.hodges@… | Owned by: | draft-ietf-websec-strict-transport-sec@… |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | strict-transport-sec | Version: | |
| Severity: | In WG Last Call | Keywords: | |
| Cc: |
Description
(extension) directives are defined having this grammar..
token [ "=" ( token | quoted-string ) ]
There is an argument against having quoted-string as part of the grammar. Justification is presented primarily in these messages..
https://www.ietf.org/mail-archive/web/websec/current/msg00781.html (Adam Barth)
https://www.ietf.org/mail-archive/web/websec/current/msg00920.html (Adam Barth)
..but also in other messages in the same thread. Nominal summary of argument against inclusion of quoted-string is..
- presently-defined STS header directives don't employ quoted-string syntax
- supporting use of quoted-string syntax raises questions of handling error conditions such as unbalanced quotation marks.
- present HSTS implementations don't parse quoted-string STS directive values (e.g. max-age="13425")
Argument for having quoted-string as a part of the grammar is..
- centered around HTTP header field consistency -- the generic header field syntax in RFC2616 (as well as in the in-progress httpbis update) incorporates quoted-string syntax as a part of header field value components.
- because the HSTS header field grammar is extensible, and new directives can be defined in the future which may (need to) use quoted-string syntax.
..as noted here..
https://www.ietf.org/mail-archive/web/websec/current/msg00774.html (Julian Reschke)
https://www.ietf.org/mail-archive/web/websec/current/msg00933.html (Julian Reschke)
Change History (6)
comment:1 Changed 10 years ago by jeff.hodges@…
comment:2 Changed 10 years ago by julian.reschke@…
Related Mozilla bug: https://bugzilla.mozilla.org/show_bug.cgi?id=718409
comment:3 Changed 10 years ago by jeff.hodges@…
Further nits wrt STS header ABNF are in the thread rooted here..
[websec] STS ABNF, was: new rev: draft-ietf-websec-strict-transport-sec-04
https://www.ietf.org/mail-archive/web/websec/current/msg01020.html
the crux being..
STS: foo ;
parses, but
STS: ; foo
does not. This could be fixed by saying:
Strict-Transport-Security = "Strict-Transport-Security" ":"
*( ";" [ directive ] )
comment:4 Changed 10 years ago by jeff.hodges@…
- Resolution set to fixed
- Status changed from new to closed
comment:5 Changed 10 years ago by jeff.hodges@…
- Resolution fixed deleted
- Status changed from closed to reopened
Need to re-fix STS grammar that appears in -06 (see entire thread rooted here)...
https://www.ietf.org/mail-archive/web/websec/current/msg01096.html
Also, the quoted-string debate continues...
https://www.ietf.org/mail-archive/web/websec/current/msg01107.html
comment:6 Changed 10 years ago by jeff.hodges@…
- Resolution set to fixed
- Severity changed from Active WG Document to In WG Last Call
- Status changed from reopened to closed
fixed in =07
Subsequent additional discussion is in thread rooted here..
[websec] of quoted-string header field param value syntax (was: Strict-Transport-Security syntax redux)
https://www.ietf.org/mail-archive/web/websec/current/msg00975.html