W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: [clear-site-data] header field syntax

From: Mike West <mkwst@google.com>
Date: Wed, 12 Aug 2015 09:48:41 +0200
Message-ID: <CAKXHy=dFLn1YNaov-uK81Wbo82xWOtcC9uJX94j7RJLKRTw6GQ@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Martin Thomson <martin.thomson@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Aug 12, 2015 at 8:26 AM, Julian Reschke <julian.reschke@gmx.de>

> For CSP it's actually critical that we group the policy defined by a
>> single header together as a unit (as `default-src 'none'; script-src
>> 'self'` is _very_ different from `default-src 'none', script-src
>> 'self'`). For `Clear-Site-Data` it isn't (yet?) critical, but following
>> that pattern seems reasonable.
> Supporting multiple header fields and commas is get. But why then have ";"
> as well?

Because it's not clear to me that we won't want the same behavior that CSP

That is, if I get two headers:

Clear-Site-Data: *
Clear-Site-Data: includeSubdomains

the current spec will combine them. I'm not sure that's the correct
behavior, and I'd like to make it easy to change our minds before shipping
the feature.

Received on Wednesday, 12 August 2015 07:49:29 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC