W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

Canonical paths

From: Nick Krempel <ndkrempel@google.com>
Date: Fri, 1 Mar 2013 20:24:15 +0000
Message-ID: <CAGu+aDcWe+GCK-4+rt+ePS7yefb+UpSj1cwn7gN0dV0n1N9Pww@mail.gmail.com>
To: public-webappsec@w3.org
Given a host source expression like "http://www.w3.org/scripts/", I
couldn't see any wording in the CSP 1.1 draft to make sure that "
http://www.w3.org/scripts/../bad.js" doesn't match it. Is this a problem?

Nick Krempel
Received on Saturday, 2 March 2013 21:45:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 2 March 2013 21:45:59 GMT