Message headers not being registered with IANA despite years-old issue

Hello everyone,

I recently opened an issue in the webappsec-csp GitHub repository about the fact that Content-Security-Policy and Content-Security-Policy-Report-Only HTTP headers are missing from the IANA Permanent Message Header Field Names registry:<>

Turns out that someone else flagged the same issue 2 years ago, but in the webappsec GitHub repository.

Here are the issues in question:

I'm extremely concerned that after all this time, this problem has yet to have been resolved, especially considering that the IANA registry is often regarded as the authority on this regard. I'm also very concerned that history appears to be repeating with the Feature-Policy header, which has yet to be registered with the IANA for inclusion in the Provisional Message Header Field Names registry. There may be more affected message headers within the scope of the Web Application Security Working Group, but if so I'm not aware of them.

I would appreciate if someone could take ownership of this issue, and work with everyone to prevent this kind of blunder in the future.

Thank you very much for your work!

Guillaume Fortin-Debigaré

Received on Monday, 5 August 2019 07:53:44 UTC