-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Definition of Expect-CT is a little unclear #318
Comments
If it is supposed to be a list of directives (some of which may be name=value), then it should be
If it is supposed to be a list of directives with optional name=value parameters to each directive, then
I guess we could also use some examples in the specification. |
@martinthomson what you suggested does change the wire syntax... |
I also disagree with the statement:
That depends on the type of the field. It's definitively not true universally right now. |
BTW, that would be to match the standard HTTP/1.x syntax for most header fields. I don't think it is appropriate to use the experimental common structure, which is still just a proposal, unless folks want to make this header field a guinea pig. |
https://greenbytes.de/tech/webdav/rfc7838.html#rfc.section.3 might be a good template. |
Sorry for my delay here. If I'm understanding correctly, then @royfielding's first suggestion is the intention: it's supposed to be a list of directives, some of which may be name=value:
However this changes the format from semicolon-separated directives ( If so, it's a little unfortunate that it'll differ from HPKP/HSTS syntax, which is semicolon-separated directives, but I suppose that's okay. @jcjones how do you feel about that from a Firefox implementation perspective? |
@estark37: Implementation-wise, it's not much work to accept a comma-delimited list instead of semicolons. However, since this is so similar to CSP/HPKP/HSTS, I'd prefer it to have a similar structure of semicolon delineation, particularly since the reporting mechanism looks so much like CSP. It feels like it'd be weird to see the different delimiters side-by-side:
|
Yes, comma-separated lists is the normal form in HTTP (inherited from the Internet message syntax of email and netnews) because it allows multiple header fields to be appended without changing the semantics of the field. In other words,
is defined by HTTP to be equivalent to
which allows various implementation layers/filters to add to a message without rewriting the entire header block. If the comma-separated list syntax is not used, then implementations are forbidden from sending the directives in more than one field and recipients must fail-with-error if more than one field is received. |
STS, like Cookie, is a bad example of a microsyntax that doesn't take advantage of the HTTP-native features. Using the non-standard syntax can run afoul of some of the compression measures in HTTP/2. CSP is actually specifically defined as a single string, so the semi-colons are internal to the header field. Note that CSP actively forbids multiple header field values (or makes them all apply equally, I can't remember). In the ways that matter, CSP is actually perfectly compatible with Roy's suggestion. |
This changes Expect-CT to be a comma-separated list of directives (which may be name=value pairs), and adds some examples. Also allows the server to send multiple header fields so that they can be combined, as per #318 (comment) Fixes issue #318
This changes Expect-CT to be a comma-separated list of directives (which may be name=value pairs), and adds some examples. Also allows the server to send multiple header fields so that they can be combined, as per #318 (comment) Fixes issue #318
Alright, like @jcjones I find it weird that the syntax will be different than HSTS/HPKP/CSP, but I suppose that's okay; Expect-CT will already differ in a couple other subtle ways so I think the syntax difference is not the end of the world. @martinthomson @royfielding @reschke could you please check if #327 seems reasonable? |
This changes Expect-CT to be a comma-separated list of directives (which may be name=value pairs), and adds some examples. Also allows the server to send multiple header fields so that they can be combined, as per #318 (comment) Fixes issue #318, #321
The convention for HTTP is to define header fields as follows:
Which leads to me suggesting:
Note that this doesn't follow the common structure, which uses:
Ignore the obvious errors in the common structure syntax, the intent is to have a list of identifiers followed by dictionaries.
I've marked this as editorial, I think that the outcome will not affect the wire syntax at all.
The text was updated successfully, but these errors were encountered: