IETF Logo Mail Archive

Re: [websec] of quoted-string header field param value syntax (was: Strict-Transport-Security syntax redux)

Adam Barth <ietf@adambarth.com> Sun, 15 January 2012 21:54 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEC4B21F84C3 for <websec@ietfa.amsl.com>; Sun, 15 Jan 2012 13:54:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.483
X-Spam-Level:
X-Spam-Status: No, score=-2.483 tagged_above=-999 required=5 tests=[AWL=-0.106, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_41=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nWsjTJXqZIUJ for <websec@ietfa.amsl.com>; Sun, 15 Jan 2012 13:54:13 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id C4FFD21F845F for <websec@ietf.org>; Sun, 15 Jan 2012 13:54:13 -0800 (PST)
Received: by iaae16 with SMTP id e16so8164138iaa.31 for <websec@ietf.org>; Sun, 15 Jan 2012 13:54:13 -0800 (PST)
Received: by 10.50.88.129 with SMTP id bg1mr10243290igb.10.1326664453333; Sun, 15 Jan 2012 13:54:13 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id gh9sm21351603igb.3.2012.01.15.13.54.12 (version=SSLv3 cipher=OTHER); Sun, 15 Jan 2012 13:54:12 -0800 (PST)
Received: by iaae16 with SMTP id e16so8164111iaa.31 for <websec@ietf.org>; Sun, 15 Jan 2012 13:54:12 -0800 (PST)
Received: by 10.50.214.38 with SMTP id nx6mr7563480igc.19.1326664451992; Sun, 15 Jan 2012 13:54:11 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.62.139 with HTTP; Sun, 15 Jan 2012 13:53:37 -0800 (PST)
In-Reply-To: <4F10CB26.2000206@KingsMountain.com>
References: <4F10CB26.2000206@KingsMountain.com>
From: Adam Barth <ietf@adambarth.com>
Date: Sun, 15 Jan 2012 13:53:37 -0800
Message-ID: <CAJE5ia9-_KcDcm1Ac51PQt0XOGXmXnQjabMnDd1QihU_MGkBZA@mail.gmail.com>
To: =JeffH <Jeff.Hodges@kingsmountain.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] of quoted-string header field param value syntax (was: Strict-Transport-Security syntax redux)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jan 2012 21:54:15 -0000

On Fri, Jan 13, 2012 at 4:24 PM, =JeffH <Jeff.Hodges@kingsmountain.com> wrote:
>
> In terms of this question of whether the STS header field directive ABNF
> should be..
>
> 1)  directive         = token [ "=" ( token | quoted-string ) ]
>
> ..or..
>
> 2)  directive         = token [ "=" token ]
>
> ..I can see both sides of the argument.
>
> However, I've been thinking about it and grepping thru specs as well as
> firefox and chrome code, which has led me to think that from an overall
> (specification) consistency perspective, I'm leaning towards spec'g it with
> quoted-string in the ABNF (ie, as (1)). And has been pointed out in the
> discussion, it is sort of a moot point because the STS header field does not
> at this time make use of the quoted-string production, nor do we have on the
> table any extension directives that would do so.
>
> In going through the FF and Chrome code, I note that both of their STS
> header field parsing methods appear to be special-case and AFAICT don't make
> use of other, more general HTTP header field parsing routines that are
> available in both implementations, and that are used to parse other HTTP
> response header fields. These latter more general HTTP header field parsing
> routines appear to be used for processing various of the other HTTP response
> and request header fields (and they appear to handle quoted-string). But it
> isn't clear why they aren't used for STS. It also isn't clear how uniformly
> these parsing routines are used for the panoply of HTTP header fields --
> some other header fields appear to be special-cased as well (tho my c++ foo
> is wanting and the code is vast..). So yeah, it does seem messy.

It's definitely messy.

I don't think it matters much what we write in this document.  Even if
we spec quoted-string, I doubt many folks will implement it.  However,
we can deal with that problem when it comes time to add extension
values that actually used quoted-string.

Adam

v2.23.0 | Report a Bug | By Email