Evaluate Canonical value of security.txt ? #772
Comments
|
For the Dutch government this could also identify incorrect redirects. E.g. https://www.rijksoverheid.nl/.well-known/security.txt would fail because the Canonical URL is https://www.ncsc.nl/.well-known/security.txt |
|
If we finally want to do this, we first need to make a final decision on what we see as the requirements for Canonical. We've been pingponging on this for months now :) |
|
Final decision:
|
|
#959 adds this and also updates the dependency to 0.8.3. @baknu we need new labels for errors As before, DTC's wording does not have to match ours, we only use the same error code. Our interpretation of no_canonical_match is different from DTC, so we definitely should not reuse their error message text there. But I also think their proposed texts for CSAF are not very clear. |
|
There's a bug here: when testing for internet.nl the |
The canonical check is already done. The code is merged, we are upgraded to 0.8.3 in #959 and the bug I mentioned on June 8th is fixed. Only content is pending, included in https://github.com/internetstandards/Internet.nl_content/pull/41 |
|
@mxsasha: Content is ready. Could you check? Thanks. |
|
Processed feedback from @mxsasha |
Currently we do not check the value of the Canonical fields, because we find that its meaning is unclear in the security.txt specification. The latter is only the case when redirects are involved.
This issue is to get more clearity on its meaning when redirects are invloved, and also to discuss if and how we can add a check for this.
Note 1: Clarification question was already asked on securitytxt/security-txt#217
Note 2: The sectxt parser now uses the following interpretation: ""Web URI where security.txt is located must match with a 'Canonical' field. In case of redirecting either the first or last web URI of the redirect chain must match.""
The text was updated successfully, but these errors were encountered: