Re: Moving forward with XHR2 and AC from Ian Hickson on 2008-05-28 (public-webapi@w3.org from May 2008)

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 28 May 2008 00:21:31 +0000 (UTC)
To: Jonas Sicking <jonas@sicking.cc>
Cc: Anne van Kesteren <annevk@opera.com>, "public-webapi@w3.org" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>
Message-ID: <Pine.LNX.4.62.0805280021210.12907@hixie.dreamhostps.com>

On Tue, 27 May 2008, Jonas Sicking wrote:
> 
> What I suggest is that we prohibit the Access-Control-Policy-Path header 
> from being used on URIs that include the string "..\", in escaped or 
> unescaped form. One worry with this is if there are encodings which put 
> the '.' or '\' characters to other codepoints than 2E and 5C 
> respectively. I.e. would we need to forbid its use on URIs other than 
> ones containing
> 
> (.|%2e)(.|%2e)(\|%5c)

I could live with that.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 28 May 2008 00:22:11 UTC