Re: [websec] Strict-Transport-Security syntax redux

[Julian Reschke <julian.reschke@gmx.de>]

On 2011-12-29 22:32, Adam Barth wrote:
> On Thu, Dec 29, 2011 at 1:24 PM, Julian Reschke<julian.reschke@gmx.de>  wrote:
>> On 2011-12-29 22:18, Adam Barth wrote:
>>> On Thu, Dec 29, 2011 at 1:13 PM, Julian Reschke<julian.reschke@gmx.de>
>>>   wrote:
>>>> On 2011-12-29 20:50, Adam Barth wrote:
>>>>> As I wrote before, I don't think we should include quoted-string in
>>>>> the grammar.  As far as I know, no one has implemented it and I have
>>>>> no plans to implement quoted-string in Chrome.  Having quoted-string
>>>>> in the grammar only leads to pain.,
>>>>
>>>> It would be helpful if you were more precise on the pain it causes,
>>>> considering you need to process extension directives anyway...
>>>
>>> We've been over this several times before.  The problem is the
>>> requirement to balance DQUOTE and the complexities surrounding the
>>> error conditions if the DQUOTEs don't balance properly (including
>>> escaping).
>>
>> Yes, but you are avoiding the question I asked. Are you implementing
>> quoted-string for extension parameters?
>
> No.
>
> Here's the grammar I recommend:
>
>     Strict-Transport-Security = "Strict-Transport-Security" ":"
>                                     directive *( ";" [ directive ] )
>
>     directive         = max-age | includeSubDomains | STS-d-ext
>     max-age           = "max-age" "=" delta-seconds
>     includeSubDomains = "includeSubDomains"
>     STS-d-ext     = token [ "=" token ]
>
> I would also define the precise requirements for parsing all possible
> input sequences, but I understand that's not fashionable.

Ack. This is at least consistent.

That being said, I disagree. token=quoted-string is widely implemented, 
and if there are clients not getting it right we should fix them.

If you are aware of specific clients having this problem please list 
them so we can open bug reports.

Best regards, Julian