W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

Re: Interaction of CSP and IRIs

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 07 Sep 2012 00:02:22 -0400
Message-ID: <504971CE.2030107@mit.edu>
To: Adam Barth <w3c@adambarth.com>
CC: public-webappsec@w3.org
On 9/6/12 11:48 PM, Adam Barth wrote:
> HTTP operates in terms of URIs.

Yes, but very few authors actually write HTTP servers.

> I'm not sure I understand your question.  Authors deal with
> host-expressions the same way they deal with the HTTP Host header.

Authors generally don't have to author Host headers; the UA sends those. 
  They will, however, need to author host-expressions to actually use CSP.

>> Why not?  Everything else a browser has lying around (e.g. document
>> locations) is IRIs.  Are host-source expressions never compared to document
>> locations?
>
> In the end, the browser needs to translate IRIs into URIs for use in
> HTTP.  Everything in CSP 1.0 is defined in terms of networking
> operations

OK, fair.

> Indeed, but that's outside the scope of CSP 1.0.

Yes, I understand that's your position.  I just wish there were a way to 
make this stuff less of a footgun for authors...

> Actually, if your issue is with the WebKit implementation, you can
> just file a bug and I'll write a test in the course of fixing it.

https://bugs.webkit.org/show_bug.cgi?id=96061

Note that I haven't looked through the Gecko version carefully (because 
regexps); it may have similar problems.

> The short version is that the IETF insists that folks use IDNA2008,
> but most browsers implement something closer to IDNA2003.  IDNA2008 is
> not backwards compatible with IDNA2003 and so will never actually be
> deployed.  Any attempts to hammer out a browser-consensus spec get
> shouted down by folks who are pushing IDNA2008.

I see.  <sigh>.

-Boris
Received on Friday, 7 September 2012 04:02:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 7 September 2012 04:02:52 GMT