W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2019

Re: Message headers not being registered with IANA despite years-old issue

From: Ian Clelland <iclelland@google.com>
Date: Tue, 6 Aug 2019 11:47:13 -0400
Message-ID: <CAK_TSXL=F3t9bbVFm-rOGBfD4D1wB=ksohgTQPnf3EvQDASOtA@mail.gmail.com>
To: Guillaume Fortin-Debigaré <pleaseiwantthem@hotmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Thanks, Guillaume, for flagging this.

I've opened a corresponding issue in webappsec-feature-policy for the
Feature-Policy and related headers.
https://github.com/w3c/webappsec-feature-policy/issues/331


On Mon, Aug 5, 2019 at 3:55 AM Guillaume Fortin-Debigaré <
pleaseiwantthem@hotmail.com> wrote:

> Hello everyone,
>
> I recently opened an issue in the webappsec-csp GitHub repository about
> the fact that Content-Security-Policy and
> Content-Security-Policy-Report-Only HTTP headers are missing from the IANA
> Permanent Message Header Field Names registry:
> https://www.iana.org/assignments/message-headers/message-headers.xhtml
> <https://www.iana.org/assignments/message-headers/message-headers..xhtml#perm-headers>
>
> Turns out that someone else flagged the same issue 2 years ago, but in
> the webappsec GitHub repository.
>
> Here are the issues in question:
> https://github.com/w3c/webappsec-csp/issues/404
> https://github.com/w3c/webappsec/issues/532
>
> I'm extremely concerned that after all this time, this problem has yet to
> have been resolved, especially considering that the IANA registry is often
> regarded as the authority on this regard. I'm also very concerned that
> history appears to be repeating with the Feature-Policy header, which has
> yet to be registered with the IANA for inclusion in the Provisional Message
> Header Field Names registry. There may be more affected message headers
> within the scope of the Web Application Security Working Group, but if so
> I'm not aware of them.
>
> I would appreciate if someone could take ownership of this issue, and work
> with everyone to prevent this kind of blunder in the future.
>
> Thank you very much for your work!
>
> Guillaume Fortin-Debigaré
>
>
Received on Tuesday, 6 August 2019 15:47:49 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 August 2019 15:47:50 UTC