- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 27 May 2008 11:00:44 -0700
- To: Ian Hickson <ian@hixie.ch>
- CC: Anne van Kesteren <annevk@opera.com>, "public-webapi@w3.org" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>
Ian Hickson wrote: > On Sun, 25 May 2008, Jonas Sicking wrote: >>>> Access Control for Cross-Site Requests >>>> >>>> * Need to deal with Access-Control-Policy-Path normalization >>> Done. >> I think we do need to deal with this. Just leaving it be will I think >> will cause exploitable servers out there. > > I don't understand how this is different to anything else that servers can > do to shoot themselves in the foot. I think that the danger for authors > using misconfigured and IIS servers is far outweighed by the benefit to > all authors in terms of the reduced load. Firing an OPTIONS request for > every single request is a high cost. It is different in its likelihood to happen. I think we can expect people to deploy all the features of this spec on IIS. We do have a requirement that the spec should be deployable on existing servers and I think we're currently failing that requirement. What I suggest is that we prohibit the Access-Control-Policy-Path header from being used on URIs that include the string "..\", in escaped or unescaped form. One worry with this is if there are encodings which put the '.' or '\' characters to other codepoints than 2E and 5C respectively. I.e. would we need to forbid its use on URIs other than ones containing (.|%2e)(.|%2e)(\|%5c) / Jonas
Received on Tuesday, 27 May 2008 18:03:37 UTC