W3C home > Mailing lists > Public > public-webapi@w3.org > May 2008

Re: Moving forward with XHR2 and AC

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 27 May 2008 20:48:29 +0200
To: Jonas Sicking <jonas@sicking.cc>
Cc: Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, "public-webapi@w3.org" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>
Message-ID: <20080527184829.GF27019@iCoaster.does-not-exist.org>

On 2008-05-27 11:00:44 -0700, Jonas Sicking wrote:

> What I suggest is that we prohibit the Access-Control-Policy-Path
> header from being used on URIs that include the string "..\", in
> escaped or unescaped form. One worry with this is if there are
> encodings which put the '.' or '\' characters to other codepoints
> than 2E and 5C respectively. I.e.  would we need to forbid its
> use on URIs other than ones containing

That sounds like perpetuating a bad hack in a spec.  I'd rather see
us say -- in a note somewhere in the spec -- that servers will want
to be careful, and will want to, e.g., configure their respective
web application firewall to prevent this attack from occuring.

That's very different from having specific client conformance
requirements around this kind of server behavior.

-- 
Thomas Roessler, W3C  <tlr@w3.org>
Received on Tuesday, 27 May 2008 18:49:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 May 2008 18:49:13 GMT