W3C home > Mailing lists > Public > public-webapi@w3.org > May 2008

Re: Moving forward with XHR2 and AC

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 27 May 2008 14:42:20 -0700
Message-ID: <483C803C.2080406@sicking.cc>
To: Jonas Sicking <jonas@sicking.cc>, Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, "public-webapi@w3.org" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>

Thomas Roessler wrote:
> On 2008-05-27 11:00:44 -0700, Jonas Sicking wrote:
> 
>> What I suggest is that we prohibit the Access-Control-Policy-Path
>> header from being used on URIs that include the string "..\", in
>> escaped or unescaped form. One worry with this is if there are
>> encodings which put the '.' or '\' characters to other codepoints
>> than 2E and 5C respectively. I.e.  would we need to forbid its
>> use on URIs other than ones containing
> 
> That sounds like perpetuating a bad hack in a spec.  I'd rather see
> us say -- in a note somewhere in the spec -- that servers will want
> to be careful, and will want to, e.g., configure their respective
> web application firewall to prevent this attack from occuring.
> 
> That's very different from having specific client conformance
> requirements around this kind of server behavior.

I really dislike it too, but just putting a "be careful" note in the 
spec isn't going to help anyone.

If we don't put this in the spec I suspect that in reality this is 
something that implementations are going to want to do anyway. I guess 
I'm fine with having this as a non-normative note to ensure that 
implementations that want to be on the safe side can.

But at that point we might as well enforce it in the spec too so that 
sites can rely on it.

/ Jonas
Received on Tuesday, 27 May 2008 21:45:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 May 2008 21:45:13 GMT