- From: Chris Weber <chris@casabasecurity.com>
- Date: Fri, 22 Apr 2011 10:36:06 -0700
- To: "Shawn Steele" <Shawn.Steele@microsoft.com>, <public-iri@w3.org>
- Message-ID: <02b801cc0113$c3845da0$4a8d18e0$@casabasecurity.com>
Browsers seem like a good focal point for testing, especially given Adam’s test suite, Erik van der Poel’s curlies, and others. Those test cases could be repurposed to target APIs or other applications at some point if that testing would be useful. I’m also concerned about the total environment as Shawn mentions – especially Web servers and Cloud APIs as those Web Services make trust decisions based on how the IRI would be parsed. Microsoft IIS has a special %uNNNN notation that’s been around as long as I can remember. It’s been a vector for several security issues I’ve seen. You can see this live at http://search.microsoft.com/Results.aspx?q=I%u2665Unicode. In some versions of IIS this notation is also allowed in place of the path separator “/” as %u002F as well as path name segments. That’s probably not best practice but does demonstrate actual behavior. -Chris From: public-iri-request@w3.org [mailto:public-iri-request@w3.org] On Behalf Of Shawn Steele Sent: Thursday, April 21, 2011 7:59 AM To: public-iri@w3.org Subject: Tests of observed behavior It was suggested on the phone that collecting examples of actual browser behavior would be useful. I'd like to point out that "actual behavior" may not be the best desired practices. Particularly around BIDI. Also, browsers aren't the total environment of the IRI, which can also be used in the OS (Start->Run), other applications, and even end up in email clients and word processors (when people type them in and they're autodetected into hot links). -Shawn http://blogs.msdn.com/shawnste
Received on Friday, 22 April 2011 17:36:29 UTC