Re: [clear-site-data] header field syntax from Mike West on 2015-08-09 (public-webappsec@w3.org from August 2015)

From: Mike West <mkwst@google.com>
Date: Sun, 9 Aug 2015 09:31:34 +0200
To: Julian Reschke <julian.reschke@gmx.de>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=czDtmPm7ePQJ9+Jss6DOefpHWdve=hRioXUFbkHRHCww@mail.gmail.com>

Hey Julian! Thanks for the feedback!

On Wed, Aug 5, 2015 at 9:15 PM, Julian Reschke <julian.reschke@gmx.de>
wrote:

> Hi there,
>
> on <http://www.w3.org/TR/2015/WD-clear-site-data-20150804/#header>...:
>
> I'm concerned that this is yet another complex header field syntax that
> requires a custom parser to handle properly. Please consider reusing the
> syntax of something that already exists, such as "Prefer"

I'm trying to parse the `Prefer` ABNF (defined in
http://tools.ietf.org/html/rfc7240#section-2). It says that `token` and
`word` are defined within Sections 3.2.1 and 3.2.4 of [RFC7230], but they
don't appear to actually be defined there. Can you point me to the correct
reference (I assume `token` is from
http://tools.ietf.org/html/rfc7230#section-3.2.6, but I can't find `word`)?

> or to adopt JSON (see <
> http://greenbytes.de/tech/webdav/draft-reschke-http-jfv-latest.html>).
>

Hrm. The response to this seemed mixed at the workshop (though I came into
the presentation late). How much support is there in general? Would this be
the only JSON header? I'd prefer not to break new ground in header
syntax... :)

>
> Also please have a look at <
> http://greenbytes.de/tech/webdav/rfc7231.html#considerations.for.new.header.fields
> >.
>
> Nits:
>
> - just define the field *value*; not the complete header field including
> the name; in particular, leading and trailing whitespace aren't supposed to
> be in the field value syntax (they are handled by the message header parser)
>
> - don't mix syntax with predefined keyword strings; just define the
> overall syntax and then name the current keywords (and add considerations
> for extensions - must ignore vs must understand etc)
>
> - allowing "extension" to contain whitespace seems weird to me; it would
> be better to just adopt HTTP's token/quoted-string throughout.

These are super helpful, thank you. ABNF is not my strong point, obviously.

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Sunday, 9 August 2015 07:32:23 UTC