HSTS HTTP Header 语法
On HSTS HTTP Header Syntax
来自规范[此处][1]:
The ABNF (Augmented Backus-Naur Form) syntax for the STS header
field is given below. It is based on the Generic Grammar defined
in Section 2 of [RFC2616] (which includes a notion of "implied
linear whitespace", also known as "implied *LWS").
Strict-Transport-Security = "Strict-Transport-Security" ":"
[ directive ] *( ";" [ directive ] )
和[这里][2],
implied *LWS
The grammar described by this specification is word-based. Except
where noted otherwise, linear white space (LWS) can be included
between any two adjacent words (token or quoted-string), and
between adjacent words and separators, without changing the
interpretation of a field. At least one delimiter (LWS and/or
separators) MUST exist between any two tokens (for the definition
of "token" below), since they would otherwise be interpreted as a
single token.
鉴于规格。示例:
Strict-Transport-Security: max-age="31536000"
Q1:意思是每两个单词之间只能加一个space吗?即这个header是正确的(注意等号前后的space)?
Strict-Transport-Security : max-age = "31536000"
Q2:数字“31536000”的引号是必须的还是可选的?
Q3:做规格。解释包括多个 space 或严格只允许单个 space?例如怎么样:
Strict-Transport-Security : max-age = "31536000"
问题 4:在键或值周围添加单引号或双引号是否可以接受?
例如,这是否可以接受:
"Strict-Transport-Security" : "max-age"="31536000"
请说明。解释规范可能很棘手。但在你的帮助下,我希望我能得到准确的理解。
[1]: https://www.rfc-editor.org/rfc/rfc6797#section-6.1
[2]: https://www.rfc-editor.org/rfc/rfc2616#section-2
Strict-Transport-Security : max-age = "31536000"
这个 header 在我看来是不正确的,因为它在 field-name 和 : 之间有一个 space。 RFC 2616 的第 4.2 节说 "Each header field consists of a name followed by a colon (":") 和字段值。",即名称后没有关于 LWS 的内容。但是实际上并不完全清楚这是因为它是隐含的而没有提到LWS,还是因为它在这里不允许而明确没有提到LWS。事实上,实现各不相同,这可以用来在不同的系统中引起不同的解释。
至于参数名和参数值之间的LWS,我认为这符合implied LWS的定义,即有效。但是implied LWS并不代表只能加一个space,2.1中说”... 至少一个 定界符(LWS and/or 分隔符)必须存在于任意两个标记之间..." 这意味着实际上可以有多个 space 或 none (只是一个分隔符)。
Q2: Are quotations on the number "31536000" required or optional?
RFC 6797 在第 6.2 节中有明确的示例,应该清楚地说明这一点:
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
...
The max-age directive value can optionally be quoted:
Strict-Transport-Security: max-age="31536000"
Q3: Does the specs. explanation include multiple spaces or strictly only single space is allowed? e.g. what about:
同样,它不限制隐含 LWS 的 space 数量。
"Strict-Transport-Security" : "max-age"="31536000"
字段名和参数名定义为token。令牌不应被引用。
Please clarify. Interpreting specs can be tricky. But with your help I hope I can get accurate understanding.
你说得对。这不仅棘手,而且经常令人困惑,不够清晰,有时规格甚至相互矛盾。将关键数据视为在各种 space 上使用可选 LWS 的松散文本,可选或必需的引用,......提供了多种实现和解析方式,并且通常是意想不到的方式。
我已经使用这种含糊不清的定义成功地绕过了各种安全系统,因为这些系统处理的字段与浏览器略有不同,因此对内容的解释也不同。在我看来,这些 text-based、复杂的、可扩展的和(不必要的)灵活的标准从安全的角度来看被设计简单地破坏了,并且还使实现和测试变得不必要的复杂。
来自规范[此处][1]:
The ABNF (Augmented Backus-Naur Form) syntax for the STS header field is given below. It is based on the Generic Grammar defined in Section 2 of [RFC2616] (which includes a notion of "implied linear whitespace", also known as "implied *LWS").
Strict-Transport-Security = "Strict-Transport-Security" ":" [ directive ] *( ";" [ directive ] )
和[这里][2],
implied *LWS The grammar described by this specification is word-based. Except where noted otherwise, linear white space (LWS) can be included between any two adjacent words (token or quoted-string), and between adjacent words and separators, without changing the interpretation of a field. At least one delimiter (LWS and/or
separators) MUST exist between any two tokens (for the definition of "token" below), since they would otherwise be interpreted as a single token.
鉴于规格。示例:
Strict-Transport-Security: max-age="31536000"
Q1:意思是每两个单词之间只能加一个space吗?即这个header是正确的(注意等号前后的space)?
Strict-Transport-Security : max-age = "31536000"
Q2:数字“31536000”的引号是必须的还是可选的?
Q3:做规格。解释包括多个 space 或严格只允许单个 space?例如怎么样:
Strict-Transport-Security : max-age = "31536000"
问题 4:在键或值周围添加单引号或双引号是否可以接受? 例如,这是否可以接受:
"Strict-Transport-Security" : "max-age"="31536000"
请说明。解释规范可能很棘手。但在你的帮助下,我希望我能得到准确的理解。 [1]: https://www.rfc-editor.org/rfc/rfc6797#section-6.1 [2]: https://www.rfc-editor.org/rfc/rfc2616#section-2
Strict-Transport-Security : max-age = "31536000"
这个 header 在我看来是不正确的,因为它在 field-name 和 : 之间有一个 space。 RFC 2616 的第 4.2 节说 "Each header field consists of a name followed by a colon (":") 和字段值。",即名称后没有关于 LWS 的内容。但是实际上并不完全清楚这是因为它是隐含的而没有提到LWS,还是因为它在这里不允许而明确没有提到LWS。事实上,实现各不相同,这可以用来在不同的系统中引起不同的解释。
至于参数名和参数值之间的LWS,我认为这符合implied LWS的定义,即有效。但是implied LWS并不代表只能加一个space,2.1中说”... 至少一个 定界符(LWS and/or 分隔符)必须存在于任意两个标记之间..." 这意味着实际上可以有多个 space 或 none (只是一个分隔符)。
Q2: Are quotations on the number "31536000" required or optional?
RFC 6797 在第 6.2 节中有明确的示例,应该清楚地说明这一点:
Strict-Transport-Security: max-age=15768000 ; includeSubDomains... The max-age directive value can optionally be quoted:
Strict-Transport-Security: max-age="31536000"
Q3: Does the specs. explanation include multiple spaces or strictly only single space is allowed? e.g. what about:
同样,它不限制隐含 LWS 的 space 数量。
"Strict-Transport-Security" : "max-age"="31536000"
字段名和参数名定义为token。令牌不应被引用。
Please clarify. Interpreting specs can be tricky. But with your help I hope I can get accurate understanding.
你说得对。这不仅棘手,而且经常令人困惑,不够清晰,有时规格甚至相互矛盾。将关键数据视为在各种 space 上使用可选 LWS 的松散文本,可选或必需的引用,......提供了多种实现和解析方式,并且通常是意想不到的方式。
我已经使用这种含糊不清的定义成功地绕过了各种安全系统,因为这些系统处理的字段与浏览器略有不同,因此对内容的解释也不同。在我看来,这些 text-based、复杂的、可扩展的和(不必要的)灵活的标准从安全的角度来看被设计简单地破坏了,并且还使实现和测试变得不必要的复杂。