W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

Re: [clear-site-data] header field syntax

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 12 Aug 2015 09:54:12 +0200
To: Mike West <mkwst@google.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <55CAFBA4.4080301@gmx.de>
On 2015-08-12 09:48, Mike West wrote:
> On Wed, Aug 12, 2015 at 8:26 AM, Julian Reschke <julian.reschke@gmx.de
> <mailto:julian.reschke@gmx.de>> wrote:
>
>         For CSP it's actually critical that we group the policy defined by a
>         single header together as a unit (as `default-src 'none'; script-src
>         'self'` is _very_ different from `default-src 'none', script-src
>         'self'`). For `Clear-Site-Data` it isn't (yet?) critical, but
>         following
>         that pattern seems reasonable.
>
>
>     Supporting multiple header fields and commas is get. But why then
>     have ";" as well?
>
>
> Because it's not clear to me that we won't want the same behavior that
> CSP has.
>
> That is, if I get two headers:
>
> ```
> Clear-Site-Data: *
> Clear-Site-Data: includeSubdomains
> ```
>
> the current spec will combine them. I'm not sure that's the correct
> behavior, and I'd like to make it easy to change our minds before
> shipping the feature.

Recombination is governed by the HTTP spec, not an individual header 
field definition.

So any software component is allowed to change

 > Clear-Site-Data: *
 > Clear-Site-Data: includeSubdomains

to

 > Clear-Site-Data: *, includeSubdomains

...and a header field definition needs to handle that case.

Best regards, Julian
Received on Wednesday, 12 August 2015 07:54:45 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC