[websec] HSTS ABNF still broken: requires leading semi-colon

"Manger, James H" <James.H.Manger@team.telstra.com> Tue, 13 March 2012 22:55 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id A83CF21F85DA for <websec@ietfa.amsl.com>; Tue, 13 Mar 2012 15:55:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.059
X-Spam-Status: No, score=-2.059 tagged_above=-999 required=5 tests=[AWL=-1.158, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id tgw6O0G3S7Qp for <websec@ietfa.amsl.com>; Tue, 13 Mar 2012 15:55:09 -0700 (PDT)
Received: from ipxbvo.tcif.telstra.com.au (ipxbvo.tcif.telstra.com.au []) by ietfa.amsl.com (Postfix) with ESMTP id 9C5DC21F85D9 for <websec@ietf.org>; Tue, 13 Mar 2012 15:55:07 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.73,579,1325422800"; d="scan'208";a="65751927"
Received: from unknown (HELO ipcbvi.tcif.telstra.com.au) ([]) by ipobvi.tcif.telstra.com.au with ESMTP; 14 Mar 2012 09:55:06 +1100
X-IronPort-AV: E=McAfee;i="5400,1158,6648"; a="54150249"
Received: from wsmsg3754.srv.dir.telstra.com ([]) by ipcbvi.tcif.telstra.com.au with ESMTP; 14 Mar 2012 09:55:06 +1100
Received: from WSMSG3153V.srv.dir.telstra.com ([]) by WSMSG3754.srv.dir.telstra.com ([]) with mapi; Wed, 14 Mar 2012 09:55:05 +1100
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: "websec@ietf.org" <websec@ietf.org>
Date: Wed, 14 Mar 2012 09:55:04 +1100
Thread-Topic: [websec] HSTS ABNF still broken: requires leading semi-colon
Thread-Index: Acz+D2PCnRCLfvNdTP+m7RPJk2IqWADWkbOA
Message-ID: <255B9BB34FB7D647A506DC292726F6E114EE35407A@WSMSG3153V.srv.dir.telstra.com>
References: <070.dc46fc06c043a8103369b4b2f8b4d471@trac.tools.ietf.org> <085.567a0b02f7ef14214dd56fdf35d75fe7@trac.tools.ietf.org>
In-Reply-To: <085.567a0b02f7ef14214dd56fdf35d75fe7@trac.tools.ietf.org>
Accept-Language: en-US, en-AU
Content-Language: en-US
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Subject: [websec] HSTS ABNF still broken: requires leading semi-colon
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Mar 2012 22:55:12 -0000

The ABNF for the Strict-Transport-Security header looks wrong. It now *requires* a leading ";" before the first directive. None of the 3 examples in the doc <draft-ietf-websec-strict-transport-sec-06> have a leading ";".

Allowing extraneous semi-colons seems fairly pointless to me, but if we need them I suggest the following ABNF.

  Strict-Transport-Security = "Strict-Transport-Security" ":"
                                 directive *( ";" directive )

  directive                 = [ token [ "=" ( token | quoted-string ) ] ]

<Strict-Transport-Security> makes it obvious that the header field value is 1 or more directives, separated by semi-colons.
The whole <directive> is optional (ie an empty string matches <directive>) so leading, trailing, or consecutive semi-colons in an STS header are ok — they separate empty directives that can be ignored.

James Manger

From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On Behalf Of websec issue tracker
Sent: Saturday, 10 March 2012 3:12 AM
To: draft-ietf-websec-strict-transport-sec@tools.ietf.org; jeff.hodges@kingsmountain.com; julian.reschke@gmx.de
Cc: websec@ietf.org
Subject: Re: [websec] #33: HSTS: quoted-string grammar in (extension) directives ?

#33: HSTS: quoted-string grammar in (extension) directives ?

Comment (by jeff.hodges@…):

 Further nits wrt STS header ABNF are in the thread rooted here..

 [websec] STS ABNF, was: new rev: draft-ietf-websec-strict-transport-sec-04

 the crux being..

    STS: foo ;

 parses, but

    STS: ; foo

 does not. This could be fixed by saying:

       Strict-Transport-Security = "Strict-Transport-Security" ":"
                                   *( ";" [ directive ] )

 Reporter:               |       Owner:  draft-ietf-websec-strict-
  jeff.hodges@…          |  transport-sec@…
     Type:  defect       |      Status:  new
 Priority:  major        |   Milestone:
Component:  strict-      |     Version:
  transport-sec          |  Resolution:
 Severity:  Active WG    |
  Document               |
 Keywords:               |

Ticket URL: <http://trac.tools.ietf.org/wg/websec/trac/ticket/33#comment:3>
websec <http://tools.ietf.org/websec/>