W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: [clear-site-data] header field syntax

From: Mike West <mkwst@google.com>
Date: Wed, 12 Aug 2015 09:48:41 +0200
Message-ID: <CAKXHy=dFLn1YNaov-uK81Wbo82xWOtcC9uJX94j7RJLKRTw6GQ@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Martin Thomson <martin.thomson@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Aug 12, 2015 at 8:26 AM, Julian Reschke <julian.reschke@gmx.de>
wrote:

> For CSP it's actually critical that we group the policy defined by a
>> single header together as a unit (as `default-src 'none'; script-src
>> 'self'` is _very_ different from `default-src 'none', script-src
>> 'self'`). For `Clear-Site-Data` it isn't (yet?) critical, but following
>> that pattern seems reasonable.
>>
>
> Supporting multiple header fields and commas is get. But why then have ";"
> as well?
>

Because it's not clear to me that we won't want the same behavior that CSP
has.

That is, if I get two headers:

```
Clear-Site-Data: *
Clear-Site-Data: includeSubdomains
```

the current spec will combine them. I'm not sure that's the correct
behavior, and I'd like to make it easy to change our minds before shipping
the feature.

-mike
Received on Wednesday, 12 August 2015 07:49:29 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC