Re: site-wide headers

On 28 September 2016 at 14:00, Martin Thomson <> wrote:
> (

a) Strong +1 to using rfc5785 for site-wide items. A couple of concerns though:

b) We should mention something about headers on the site-headers file
itself. For example how long should this file be cached, etc.

c) I don't understand why we have HS or SM tags at all. So long as the
site-headers file returns 200, has contents, and has the correct media
type those headers should be used.

d) Do we want to create a whitelist of headers that should exist in
site-headers and have user agents validate it? At the moment the draft
lists a small number of blacklisted items.

e) If a single page injects additional headers do they override
site-headers? For example can send
   Strict-Transport-Security: max-age=0 ; includeSubDomains

and win?

Eitan Adler

Received on Saturday, 1 October 2016 08:12:33 UTC