Re: site-wide headers
Eitan Adler <lists@eitanadler.com> Sat, 01 October 2016 08:16 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC6D412B21C for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 1 Oct 2016 01:16:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.837
X-Spam-Level:
X-Spam-Status: No, score=-8.837 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-2.316, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eitanadler.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sUgRMbjDqnQi for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 1 Oct 2016 01:16:32 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA0E412B099 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sat, 1 Oct 2016 01:16:31 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1bqFPP-0004cT-HX for ietf-http-wg-dist@listhub.w3.org; Sat, 01 Oct 2016 08:12:35 +0000
Resent-Date: Sat, 01 Oct 2016 08:12:35 +0000
Resent-Message-Id: <E1bqFPP-0004cT-HX@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <lists@eitanadler.com>) id 1bqFPN-0004bm-8v for ietf-http-wg@listhub.w3.org; Sat, 01 Oct 2016 08:12:33 +0000
Received: from mail-wm0-f45.google.com ([74.125.82.45]) by maggie.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <lists@eitanadler.com>) id 1bqFPK-0000S0-D0 for ietf-http-wg@w3.org; Sat, 01 Oct 2016 08:12:32 +0000
Received: by mail-wm0-f45.google.com with SMTP id f193so3239443wmg.0 for <ietf-http-wg@w3.org>; Sat, 01 Oct 2016 01:12:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=eitanadler.com; s=0xdeadbeef; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=jkWxDT9Ng8Ah3AH5dPvmcIG7OZZ2jXnsOC5GNFqw6yI=; b=f3ureXKRymYKQjO3ag7UyEcPp3+Iyw4IOvarzK5Eur3OD7h1NyTvswHl0CtBa7TNzo iBSvtGzF1Qw+Kx2414d46wxEAQJygqrxXjpgI/FrXsK1z8LWrAEqlh1XK7PAL/XNIYhh qdt6GnD+wp78sJGFshGhWXORx9vLdrYoyzocE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=jkWxDT9Ng8Ah3AH5dPvmcIG7OZZ2jXnsOC5GNFqw6yI=; b=gK08MzL65397lfVCsddGZe6uZBnG7jGJwEHWlPAzqQ8cmF3splWZ8qcOvZmALzmdeZ CxVKfX1FTaxZKhGSpORn9Q2TVGaZfCsjl8UI+7v9lXcCLrGRC2YOh4XTvD3EEvAM4w2O ozfWLe1I4p0PUWgbPywr0z3AJ82df7qnRMJWbrkXsR5WWSPtWBBJhIvhSINBAoO0Ihfm 1hjkqxPCCZeoh7UTz/QktouOi9BSwHrUZFvkt7A/tFpdEyY490EG+iQ6aM47ZZlyUg2c pXvlMYOoe09N/kUZ5MBqvNNTqcLeAZKksFSXSvhRJXgRQft63605sfpSh58kSMRbk8xr KFuQ==
X-Gm-Message-State: AA6/9RmwWi4YNQ8CUNvHqYb0kJdrM+yEEJraU/o8RkUezQst+3kkozebhiyIo3cyK8CGXsnpT7VHlhCrhbwa8Q==
X-Received: by 10.194.112.98 with SMTP id ip2mr9198567wjb.95.1475309523530; Sat, 01 Oct 2016 01:12:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.28.18.4 with HTTP; Sat, 1 Oct 2016 01:11:32 -0700 (PDT)
In-Reply-To: <CABkgnnWDys91VF5xCBPc4+J8JQnj75VsGoLVkpXxM60egYd5GQ@mail.gmail.com>
References: <CABkgnnWDys91VF5xCBPc4+J8JQnj75VsGoLVkpXxM60egYd5GQ@mail.gmail.com>
From: Eitan Adler <lists@eitanadler.com>
Date: Sat, 01 Oct 2016 11:11:32 +0300
Message-ID: <CAF6rxg=PmJh123cUWWaZe3oNbxCcFZKdyMM+7MydVNV4AUmu8g@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=74.125.82.45; envelope-from=lists@eitanadler.com; helo=mail-wm0-f45.google.com
X-W3C-Hub-Spam-Status: No, score=-5.6
X-W3C-Hub-Spam-Report: AWL=-1.069, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1bqFPK-0000S0-D0 3f1c2894b3feb6c81643a89c8b6e692b
X-Original-To: ietf-http-wg@w3.org
Subject: Re: site-wide headers
Archived-At: <http://www.w3.org/mid/CAF6rxg=PmJh123cUWWaZe3oNbxCcFZKdyMM+7MydVNV4AUmu8g@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/32435
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 28 September 2016 at 14:00, Martin Thomson <martin.thomson@gmail.com> wrote: > > (https://tools.ietf.org/html/draft-nottingham-site-wide-headers-00) > a) Strong +1 to using rfc5785 for site-wide items. A couple of concerns though: b) We should mention something about headers on the site-headers file itself. For example how long should this file be cached, etc. c) I don't understand why we have HS or SM tags at all. So long as the site-headers file returns 200, has contents, and has the correct media type those headers should be used. d) Do we want to create a whitelist of headers that should exist in site-headers and have user agents validate it? At the moment the draft lists a small number of blacklisted items. e) If a single page injects additional headers do they override site-headers? For example can https://example.com/~user/evil/page.html send Strict-Transport-Security: max-age=0 ; includeSubDomains and win? -- Eitan Adler
- site-wide headers Martin Thomson
- Re: site-wide headers Willy Tarreau
- Re: site-wide headers Martin Thomson
- Re: site-wide headers Eitan Adler
- Re: site-wide headers Willy Tarreau
- Re: site-wide headers Mark Nottingham
- Re: site-wide headers Martin Thomson