Re: [websec] Strict-Transport-Security syntax redux

Julian Reschke <> Sat, 08 October 2011 18:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 935CA21F8BA6 for <>; Sat, 8 Oct 2011 11:19:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.082
X-Spam-Status: No, score=-103.082 tagged_above=-999 required=5 tests=[AWL=-0.483, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uOQX+2ltaoov for <>; Sat, 8 Oct 2011 11:19:16 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id 3256E21F8BD8 for <>; Sat, 8 Oct 2011 11:19:15 -0700 (PDT)
Received: (qmail invoked by alias); 08 Oct 2011 18:22:31 -0000
Received: from (EHLO []) [] by (mp070) with SMTP; 08 Oct 2011 20:22:31 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX19iqXspMhNilfAyCkP7o7sokUcQwcx0ZR2AuBWGG6 Z2cR3AyPzsMF+x
Message-ID: <>
Date: Sat, 08 Oct 2011 20:22:29 +0200
From: Julian Reschke <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: =JeffH <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: IETF WebSec WG <>
Subject: Re: [websec] Strict-Transport-Security syntax redux
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 08 Oct 2011 18:19:20 -0000

On 2011-10-07 01:23, =JeffH wrote:
> ...

Trying to summarize my concerns and proposals...

(1) RFC2616-or-HTTPbis

In a perfect world I could give you an exact time-of-arrival for 
HTTPbis. But the world is not perfect; and progress on HTTPbis mainly 
depends on the availability of the editors, and, more importantly, 
people showing up on the HTTPbis mailing list to help in closing issues 
and reviewing the existing text. So help *is* appreciated. -> 

(2) Multiple header instances

Header fields can occur multiple times, even when they were intended not 
to. Examples: Location, Content-Length. When this happens, we usually 
see interop problems because some consumers pick the first, some pick 
the second, and some combine them using a comma, as described in HTTP spec.

This can be dangerous when the repetition makes the message format 
ambiguous (Content-Length, for instance). It also means that it allows 
smuggling, relying on checkers/intermediaries only seeing one of the 

Note that Chrome and FF have become very strict in checking for this for 
C-L, and FF does even more checks (syntax of C-L, also checks for 
Location and Content-Disposition).

So *if* STS doesn't allow multiple header fields (which would require 
switching to a comma-separated syntax), the spec should be crystal clear 
what to do when multiple instances are encountered; in many cases the 
default should be "ignore the header field" or even "consider the 
message to be broken". Not sure what's best here.

Also note that somebody else may be combining multiple fields into a 
single one, and the recipient will see those concatenated with commas as 
separators. Optimally the format is robust enough to detect things like 

(3) ABNF organization

Any header field that is extensible needs to define the syntax for the 
extension point, so existing code can parse them. Don't make extensions 
different from the builtins with respect to syntax. It just makes the 
parser more complicated.

So just define a single ABNF for STS directives in ABNF.

For instance, using RFC 2616 ABNF and list syntax:

Strict-Transport-Security =
   "Strict-Transport-Security" ":" 1#directive

...or when sticking to semicolon:

Strict-Transport-Security =
   "Strict-Transport-Security" ":" directive *( ";" directive )


directive = token( "=" ( token / quoted-string ) )

In prose, add additional constrains, such as "MUST contain FOOBAR 
directive exactly once".

Finally, for each builtin directive state the individual syntax of the 
param *value*, and do not make the ABNF vary based on the directive.

Hope this helps.

Also worth reading: 

Best regards, Julian