- From: Thomas Roessler <tlr@w3.org>
- Date: Tue, 27 May 2008 20:48:29 +0200
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, "public-webapi@w3.org" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>
On 2008-05-27 11:00:44 -0700, Jonas Sicking wrote: > What I suggest is that we prohibit the Access-Control-Policy-Path > header from being used on URIs that include the string "..\", in > escaped or unescaped form. One worry with this is if there are > encodings which put the '.' or '\' characters to other codepoints > than 2E and 5C respectively. I.e. would we need to forbid its > use on URIs other than ones containing That sounds like perpetuating a bad hack in a spec. I'd rather see us say -- in a note somewhere in the spec -- that servers will want to be careful, and will want to, e.g., configure their respective web application firewall to prevent this attack from occuring. That's very different from having specific client conformance requirements around this kind of server behavior. -- Thomas Roessler, W3C <tlr@w3.org>
Received on Tuesday, 27 May 2008 18:49:13 UTC