W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: [clear-site-data] header field syntax

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 12 Aug 2015 08:26:30 +0200
To: Mike West <mkwst@google.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <55CAE716.1050301@gmx.de>
On 2015-08-12 08:20, Mike West wrote:
> On Wed, Aug 12, 2015 at 8:16 AM, Julian Reschke <julian.reschke@gmx.de
> <mailto:julian.reschke@gmx.de>> wrote:
>
>     Then why do you have both comma and semicolon-delimited parameters?
>     That sounds very confusing.
>
>
> Commas come from misconfigured servers that send multiple
> `Clear-Site-Data` headers. That is:
>
> ```
> Clear-Site-Data: a
> Clear-Site-Data: b
> ```
>
> For CSP it's actually critical that we group the policy defined by a
> single header together as a unit (as `default-src 'none'; script-src
> 'self'` is _very_ different from `default-src 'none', script-src
> 'self'`). For `Clear-Site-Data` it isn't (yet?) critical, but following
> that pattern seems reasonable.

Supporting multiple header fields and commas is get. But why then have 
";" as well?
Received on Wednesday, 12 August 2015 06:28:15 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC