- From: Eitan Adler <lists@eitanadler.com>
- Date: Sat, 1 Oct 2016 11:11:32 +0300
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 28 September 2016 at 14:00, Martin Thomson <martin.thomson@gmail.com> wrote: > > (https://tools.ietf.org/html/draft-nottingham-site-wide-headers-00) > a) Strong +1 to using rfc5785 for site-wide items. A couple of concerns though: b) We should mention something about headers on the site-headers file itself. For example how long should this file be cached, etc. c) I don't understand why we have HS or SM tags at all. So long as the site-headers file returns 200, has contents, and has the correct media type those headers should be used. d) Do we want to create a whitelist of headers that should exist in site-headers and have user agents validate it? At the moment the draft lists a small number of blacklisted items. e) If a single page injects additional headers do they override site-headers? For example can https://example.com/~user/evil/page.html send Strict-Transport-Security: max-age=0 ; includeSubDomains and win? -- Eitan Adler
Received on Saturday, 1 October 2016 08:12:33 UTC