W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: [clear-site-data] header field syntax

From: Mike West <mkwst@google.com>
Date: Wed, 12 Aug 2015 08:20:00 +0200
Message-ID: <CAKXHy=fte_E4hvS_+RTVFu5G6qjWDSqnOKmjY2yzO+DKmdiFRw@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Martin Thomson <martin.thomson@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Aug 12, 2015 at 8:16 AM, Julian Reschke <julian.reschke@gmx.de>
wrote:
>
> Then why do you have both comma and semicolon-delimited parameters? That
> sounds very confusing.


Commas come from misconfigured servers that send multiple `Clear-Site-Data`
headers. That is:

```
Clear-Site-Data: a
Clear-Site-Data: b
```

For CSP it's actually critical that we group the policy defined by a single
header together as a unit (as `default-src 'none'; script-src 'self'` is
_very_ different from `default-src 'none', script-src 'self'`). For
`Clear-Site-Data` it isn't (yet?) critical, but following that pattern
seems reasonable.

-mike
Received on Wednesday, 12 August 2015 06:20:48 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC