IETF Logo Mail Archive

Re: [websec] of quoted-string header field param value syntax (was: Strict-Transport-Security syntax redux)

Julian Reschke <julian.reschke@gmx.de> Sat, 14 January 2012 12:20 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6FB621F8600 for <websec@ietfa.amsl.com>; Sat, 14 Jan 2012 04:20:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.056
X-Spam-Level:
X-Spam-Status: No, score=-103.056 tagged_above=-999 required=5 tests=[AWL=-1.057, BAYES_00=-2.599, J_CHICKENPOX_41=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id idhpkhReA0KT for <websec@ietfa.amsl.com>; Sat, 14 Jan 2012 04:20:31 -0800 (PST)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id D772221F85FD for <websec@ietf.org>; Sat, 14 Jan 2012 04:20:30 -0800 (PST)
Received: (qmail invoked by alias); 14 Jan 2012 12:20:29 -0000
Received: from p3EE27592.dip.t-dialin.net (EHLO [192.168.178.36]) [62.226.117.146] by mail.gmx.net (mp026) with SMTP; 14 Jan 2012 13:20:29 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX18x0KVIEAwxDOKIGA9KXYOJIV9AtZPg7QDlPaMR8b P4Y5nhBZ5xB8fZ
Message-ID: <4F117308.3030501@gmx.de>
Date: Sat, 14 Jan 2012 13:20:24 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: =JeffH <Jeff.Hodges@KingsMountain.com>
References: <4F10CB26.2000206@KingsMountain.com>
In-Reply-To: <4F10CB26.2000206@KingsMountain.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] of quoted-string header field param value syntax (was: Strict-Transport-Security syntax redux)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Jan 2012 12:20:31 -0000

On 2012-01-14 01:24, =JeffH wrote:
>
> In terms of this question of whether the STS header field directive ABNF
> should be..
>
> 1) directive = token [ "=" ( token | quoted-string ) ]
>
> ..or..
>
> 2) directive = token [ "=" token ]
>
> ..I can see both sides of the argument.
>
> However, I've been thinking about it and grepping thru specs as well as
> firefox and chrome code, which has led me to think that from an overall
> (specification) consistency perspective, I'm leaning towards spec'g it
> with quoted-string in the ABNF (ie, as (1)). And has been pointed out in

+1

> the discussion, it is sort of a moot point because the STS header field
> does not at this time make use of the quoted-string production, nor do
> we have on the table any extension directives that would do so.

It's not a moot point at all. If you don't spec it now, extensions will 
not ever be able to use quoted-string, because recipients parsing over 
those extensions will trip over them.

> In going through the FF and Chrome code, I note that both of their STS
> header field parsing methods appear to be special-case and AFAICT don't
> make use of other, more general HTTP header field parsing routines that
> are available in both implementations, and that are used to parse other
> HTTP response header fields. These latter more general HTTP header field
> parsing routines appear to be used for processing various of the other
> HTTP response and request header fields (and they appear to handle
> quoted-string). But it isn't clear why they aren't used for STS. It also
> isn't clear how uniformly these parsing routines are used for the
> panoply of HTTP header fields -- some other header fields appear to be
> special-cased as well (tho my c++ foo is wanting and the code is
> vast..). So yeah, it does seem messy.

It's true what right now there isn't a lot of re-use of header field 
parsers. This is likely because of historic reasons; different header 
fields have different parsing quirks.

But of course that's not an excuse to add unneeded special cases in the 
future.

Example: just a few weeks ago we discussed the "Prefer" header field in 
the HTTPbis WG, and we have been able to make it parse exactly like 
"Expect" (after fixing "Expect" as well, see 
<http://trac.tools.ietf.org/wg/httpbis/trac/ticket/327>).

Best regards, Julian

v2.23.0 | Report a Bug | By Email