Re: [clear-site-data] header field syntax from Mike West on 2015-08-12 (public-webappsec@w3.org from August 2015)

From: Mike West <mkwst@google.com>
Date: Wed, 12 Aug 2015 09:48:41 +0200
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Martin Thomson <martin.thomson@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=dFLn1YNaov-uK81Wbo82xWOtcC9uJX94j7RJLKRTw6GQ@mail.gmail.com>

On Wed, Aug 12, 2015 at 8:26 AM, Julian Reschke <julian.reschke@gmx.de>
wrote:

> For CSP it's actually critical that we group the policy defined by a
>> single header together as a unit (as `default-src 'none'; script-src
>> 'self'` is _very_ different from `default-src 'none', script-src
>> 'self'`). For `Clear-Site-Data` it isn't (yet?) critical, but following
>> that pattern seems reasonable.
>>
>
> Supporting multiple header fields and commas is get. But why then have ";"
> as well?
>

Because it's not clear to me that we won't want the same behavior that CSP
has.

That is, if I get two headers:

```
Clear-Site-Data: *
Clear-Site-Data: includeSubdomains
```

the current spec will combine them. I'm not sure that's the correct
behavior, and I'd like to make it easy to change our minds before shipping
the feature.

-mike

Received on Wednesday, 12 August 2015 07:49:29 UTC