I propose to add a special header that can be used in including HTTP response code to the signature, in case the signature is generated to HTTP response instead of HTTP request as described in chapter 1.2 in the draft-12.
I propose the following backwards compatible amendments.
---------- Page 6
To include the HTTP request target in the signature calculation, use
the special `(request-target)` header field name. To include the
signature creation time, use the special `(created)` header field
name. To include the signature expiration time, use the special
`(expires)` header field name.
1. If the header field name is `(request-target)` then generate the
header field value by concatenating the lowercased :method, an
ASCII space, and the :path pseudo-headers (as specified in
HTTP/2, Section 8.1.2.3 [7]). Note: For the avoidance of doubt,
lowercasing only applies to the :method pseudo-header and not to
the :path pseudo-header.
--------->
To include the HTTP request target in the signature calculation, use
the special `(request-target)` header field name. To include the
signature creation time, use the special `(created)` header field
name. To include the signature expiration time, use the special
`(expires)` header field name. To include HTTP status code to
the signature calculation over HTTP response, ise the special
`(response-code)` header field name.
1. If the header field name is `(request-target)` then generate the
header field value by concatenating the lowercased :method, an
ASCII space, and the :path pseudo-headers (as specified in
HTTP/2, Section 8.1.2.3 [7]). Note: For the avoidance of doubt,
lowercasing only applies to the :method pseudo-header and not to
the :path pseudo-header. This special header is applicable only
to HTTP requests.
----------
---------- Page 7
3. If the header field name is `(expires)` and the `algorithm`
parameter starts with `rsa`, `hmac`, or `ecdsa` an implementation
MUST produce an error. If the `expires` Signature Parameter is
not specified, or is not an integer, an implementation MUST
produce an error. Otherwise, the header field value is the
integer expressed by the `created` signature parameter.
4. Create the header field string by concatenating the lowercased
--------->
3. If the header field name is `(expires)` and the `algorithm`
parameter starts with `rsa`, `hmac`, or `ecdsa` an implementation
MUST produce an error. If the `expires` Signature Parameter is
not specified, or is not an integer, an implementation MUST
produce an error. Otherwise, the header field value is the
integer expressed by the `created` signature parameter.
4. If the header field name is `(response-code)`, then the header
field value is a three digit HTTP status code (e.g. 200). This
special header is applicable only to HTTP responses.
5. Create the header field string by concatenating the lowercased
----------
ivilata
commented
4 years ago
Hi
I propose to add a special header that can be used in including HTTP response code to the signature, in case the signature is generated to HTTP response instead of HTTP request as described in chapter 1.2 in the draft-12.
I propose the following backwards compatible amendments.