W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2016

Re: site-wide headers

From: Eitan Adler <lists@eitanadler.com>
Date: Sat, 1 Oct 2016 11:11:32 +0300
Message-ID: <CAF6rxg=PmJh123cUWWaZe3oNbxCcFZKdyMM+7MydVNV4AUmu8g@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 28 September 2016 at 14:00, Martin Thomson <martin.thomson@gmail.com> wrote:
>
> (https://tools.ietf.org/html/draft-nottingham-site-wide-headers-00)
>

a) Strong +1 to using rfc5785 for site-wide items. A couple of concerns though:

b) We should mention something about headers on the site-headers file
itself. For example how long should this file be cached, etc.

c) I don't understand why we have HS or SM tags at all. So long as the
site-headers file returns 200, has contents, and has the correct media
type those headers should be used.

d) Do we want to create a whitelist of headers that should exist in
site-headers and have user agents validate it? At the moment the draft
lists a small number of blacklisted items.

e) If a single page injects additional headers do they override
site-headers? For example can
https://example.com/~user/evil/page.html send
   Strict-Transport-Security: max-age=0 ; includeSubDomains

and win?



-- 
Eitan Adler
Received on Saturday, 1 October 2016 08:12:33 UTC

This archive was generated by hypermail 2.3.1 : Saturday, 1 October 2016 08:12:35 UTC