Re: Moving forward with XHR2 and AC

On 2008-05-27 11:00:44 -0700, Jonas Sicking wrote:

> What I suggest is that we prohibit the Access-Control-Policy-Path
> header from being used on URIs that include the string "..\", in
> escaped or unescaped form. One worry with this is if there are
> encodings which put the '.' or '\' characters to other codepoints
> than 2E and 5C respectively. I.e.  would we need to forbid its
> use on URIs other than ones containing

That sounds like perpetuating a bad hack in a spec.  I'd rather see
us say -- in a note somewhere in the spec -- that servers will want
to be careful, and will want to, e.g., configure their respective
web application firewall to prevent this attack from occuring.

That's very different from having specific client conformance
requirements around this kind of server behavior.

-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Tuesday, 27 May 2008 18:49:13 UTC