W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2013

Re: CSP and comma-separated directives

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 08 Jan 2013 09:12:14 -0800
Message-ID: <50EC536E.9030205@mozilla.com>
To: Julian Reschke <julian.reschke@gmx.de>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 1/8/2013 8:13 AM, Julian Reschke wrote:
> ...and, even worse, "," is an allowed character in URIs...

Commas are not allowed in hostnames which is all that's supported by CSP 
1.0. In CSP 1.1 where we allow partial paths we should note that they 
are only allowed if they do not contain a comma or semi-colon, and that 
those punctuation marks will be interpreted as policy delimiters.

If someone wants to argue the other way that's fine, but either way the 
spec should be explicit about the handling of those two special characters.

-Dan Veditz
Received on Tuesday, 8 January 2013 17:12:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2013 17:12:45 GMT