- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 12 Aug 2015 09:54:12 +0200
- To: Mike West <mkwst@google.com>
- Cc: Martin Thomson <martin.thomson@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 2015-08-12 09:48, Mike West wrote: > On Wed, Aug 12, 2015 at 8:26 AM, Julian Reschke <julian.reschke@gmx.de > <mailto:julian.reschke@gmx.de>> wrote: > > For CSP it's actually critical that we group the policy defined by a > single header together as a unit (as `default-src 'none'; script-src > 'self'` is _very_ different from `default-src 'none', script-src > 'self'`). For `Clear-Site-Data` it isn't (yet?) critical, but > following > that pattern seems reasonable. > > > Supporting multiple header fields and commas is get. But why then > have ";" as well? > > > Because it's not clear to me that we won't want the same behavior that > CSP has. > > That is, if I get two headers: > > ``` > Clear-Site-Data: * > Clear-Site-Data: includeSubdomains > ``` > > the current spec will combine them. I'm not sure that's the correct > behavior, and I'd like to make it easy to change our minds before > shipping the feature. Recombination is governed by the HTTP spec, not an individual header field definition. So any software component is allowed to change > Clear-Site-Data: * > Clear-Site-Data: includeSubdomains to > Clear-Site-Data: *, includeSubdomains ...and a header field definition needs to handle that case. Best regards, Julian
Received on Wednesday, 12 August 2015 07:54:45 UTC