Re: [clear-site-data] header field syntax

On 2015-08-12 09:48, Mike West wrote:
> On Wed, Aug 12, 2015 at 8:26 AM, Julian Reschke <julian.reschke@gmx.de
> <mailto:julian.reschke@gmx.de>> wrote:
>
>         For CSP it's actually critical that we group the policy defined by a
>         single header together as a unit (as `default-src 'none'; script-src
>         'self'` is _very_ different from `default-src 'none', script-src
>         'self'`). For `Clear-Site-Data` it isn't (yet?) critical, but
>         following
>         that pattern seems reasonable.
>
>
>     Supporting multiple header fields and commas is get. But why then
>     have ";" as well?
>
>
> Because it's not clear to me that we won't want the same behavior that
> CSP has.
>
> That is, if I get two headers:
>
> ```
> Clear-Site-Data: *
> Clear-Site-Data: includeSubdomains
> ```
>
> the current spec will combine them. I'm not sure that's the correct
> behavior, and I'd like to make it easy to change our minds before
> shipping the feature.

Recombination is governed by the HTTP spec, not an individual header 
field definition.

So any software component is allowed to change

 > Clear-Site-Data: *
 > Clear-Site-Data: includeSubdomains

to

 > Clear-Site-Data: *, includeSubdomains

...and a header field definition needs to handle that case.

Best regards, Julian

Received on Wednesday, 12 August 2015 07:54:45 UTC