- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 28 May 2008 00:21:31 +0000 (UTC)
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Anne van Kesteren <annevk@opera.com>, "public-webapi@w3.org" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>
On Tue, 27 May 2008, Jonas Sicking wrote: > > What I suggest is that we prohibit the Access-Control-Policy-Path header > from being used on URIs that include the string "..\", in escaped or > unescaped form. One worry with this is if there are encodings which put > the '.' or '\' characters to other codepoints than 2E and 5C > respectively. I.e. would we need to forbid its use on URIs other than > ones containing > > (.|%2e)(.|%2e)(\|%5c) I could live with that. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 28 May 2008 00:22:11 UTC