- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 27 May 2008 14:42:20 -0700
- To: Jonas Sicking <jonas@sicking.cc>, Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, "public-webapi@w3.org" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>
Thomas Roessler wrote: > On 2008-05-27 11:00:44 -0700, Jonas Sicking wrote: > >> What I suggest is that we prohibit the Access-Control-Policy-Path >> header from being used on URIs that include the string "..\", in >> escaped or unescaped form. One worry with this is if there are >> encodings which put the '.' or '\' characters to other codepoints >> than 2E and 5C respectively. I.e. would we need to forbid its >> use on URIs other than ones containing > > That sounds like perpetuating a bad hack in a spec. I'd rather see > us say -- in a note somewhere in the spec -- that servers will want > to be careful, and will want to, e.g., configure their respective > web application firewall to prevent this attack from occuring. > > That's very different from having specific client conformance > requirements around this kind of server behavior. I really dislike it too, but just putting a "be careful" note in the spec isn't going to help anyone. If we don't put this in the spec I suspect that in reality this is something that implementations are going to want to do anyway. I guess I'm fine with having this as a non-normative note to ensure that implementations that want to be on the safe side can. But at that point we might as well enforce it in the spec too so that sites can rely on it. / Jonas
Received on Tuesday, 27 May 2008 21:45:06 UTC