Expect-CT header using comma delimiter instead of semicolon

[leonklingele]

In contract to headers like Content-Type, Content-Security-Policy, Feature-Policy, Public-Key-Pins, Strict-Transport-Security, etc., the Expect-CT header uses a comma delimiter instead of a semicolon. What's the reason for that?

Content-Type: text/html; charset=UTF-8
                       ^ Semicolon

Content-Security-Policy: default-src 'none'; script-src 'self'
                                           ^ Semicolon

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                           ^ Semicolon        ^ Semicolon

Expect-CT: enforce, max-age=86400
                  ^ Comma

[martinthomson]

Commas are used to separate different values. Those other header fields are comprised of a single value (with multiple parts). Expect-CT, like Cache-Control, includes multiple separate directives.

You could also say that Expect-CT fails to replicate the mistakes of those other header fields, but some of those - like CSP - are explicitly designed to have a single directive.