W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

Re: Canonical paths

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 08 Mar 2013 15:24:41 -0800
Message-ID: <513A7339.70206@mozilla.com>
To: Nick Krempel <ndkrempel@google.com>
CC: public-webappsec@w3.org
On 3/1/2013 12:24 PM, Nick Krempel wrote:
> Given a host source expression like "http://www.w3.org/scripts/", I
> couldn't see any wording in the CSP 1.1 draft to make sure that
> "http://www.w3.org/scripts/../bad.js" doesn't match it. Is this a problem?

It's not a problem if user agents canonicalize URLs according to 
http://tools.ietf.org/html/rfc3986#section-6.2.2.3 before applying CSP 
restrictions. Firefox does and I assume Chrome does too, but it probably 
wouldn't hurt to mention it explicitly in the spec.


The 3.2.2 Source List section of the CSP spec does mention two parts of 
rfc3986 in the syntax section. We should add a step 0 to section 3.2.2.2 
"Matching"

   0. The URI must be normalized according to RFC 3986 section 6
   1. If the source expression....

-Dan Veditz
Received on Friday, 8 March 2013 23:25:16 GMT

This archive was generated by hypermail 2.3.1 : Friday, 8 March 2013 23:25:16 GMT