Canonical paths

• From: Nick Krempel <ndkrempel@google.com>
• Date: Fri, 1 Mar 2013 20:24:15 +0000
• To: public-webappsec@w3.org
• Message-ID: <CAGu+aDcWe+GCK-4+rt+ePS7yefb+UpSj1cwn7gN0dV0n1N9Pww@mail.gmail.com>

Given a host source expression like "http://www.w3.org/scripts/", I
couldn't see any wording in the CSP 1.1 draft to make sure that "
http://www.w3.org/scripts/../bad.js" doesn't match it. Is this a problem?

Nick Krempel

Received on Saturday, 2 March 2013 21:45:58 UTC