- From: Peter Eckersley <pde@eff.org>
- Date: Thu, 5 Feb 2015 17:55:21 -0800
- To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Cc: public-webappsec@w3.org, technologists@eff.org
On Thu, Feb 05, 2015 at 05:54:15PM -0500, Daniel Kahn Gillmor wrote: > On Mon 2015-02-02 19:21:00 -0500, Peter Eckersley wrote: > > > Assuming that clients are following point 6.1.4 in RFC 6797 > > (https://tools.ietf.org/html/rfc6797#section-6.1) correctly, it should > > be practical to make this kind of functionality part of HSTS. > > This point in the RFC says: > > 4. UAs MUST ignore any STS header field containing directives, or > other header field value data, that does not conform to the > syntax defined in this specification. > > I read that to mean that STS headers which break *syntax* should be > ignored. It does not say that any unknown directive should be ignored. > > in fact, the next point explicitly says that unknown directives should > be ignored: > > 5. If an STS header field contains directive(s) not recognized by > the UA, the UA MUST ignore the unrecognized directives, and if > the STS header field otherwise satisfies the above requirements > (1 through 4), the UA MUST process the recognized directives. Thank you for catching my misreading there. I think that pretty much guarantees that we shouldn't do this as a new HSTS directive. Let's keep working on Mike's CSP proposal :) -- Peter Eckersley pde@eff.org Technology Projects Director Tel +1 415 436 9333 x131 Electronic Frontier Foundation Fax +1 415 436 9993
Received on Friday, 6 February 2015 01:55:51 UTC