W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2019

Message headers not being registered with IANA despite years-old issue

From: Guillaume Fortin-Debigaré <pleaseiwantthem@hotmail.com>
Date: Sat, 3 Aug 2019 04:58:21 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CY4PR03MB30806548415E70526347A2B7B0D80@CY4PR03MB3080.namprd03.prod.outlook.com>
Hello everyone,

I recently opened an issue in the webappsec-csp GitHub repository about the fact that Content-Security-Policy and Content-Security-Policy-Report-Only HTTP headers are missing from the IANA Permanent Message Header Field Names registry:
https://www.iana.org/assignments/message-headers/message-headers.xhtml<https://www.iana.org/assignments/message-headers/message-headers.xhtml#perm-headers>

Turns out that someone else flagged the same issue 2 years ago, but in the webappsec GitHub repository.

Here are the issues in question:
https://github.com/w3c/webappsec-csp/issues/404
https://github.com/w3c/webappsec/issues/532

I'm extremely concerned that after all this time, this problem has yet to have been resolved, especially considering that the IANA registry is often regarded as the authority on this regard. I'm also very concerned that history appears to be repeating with the Feature-Policy header, which has yet to be registered with the IANA for inclusion in the Provisional Message Header Field Names registry. There may be more affected message headers within the scope of the Web Application Security Working Group, but if so I'm not aware of them.

I would appreciate if someone could take ownership of this issue, and work with everyone to prevent this kind of blunder in the future.

Thank you very much for your work!

Guillaume Fortin-Debigaré
Received on Monday, 5 August 2019 07:53:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 5 August 2019 07:53:45 UTC