Re: Moving forward with XHR2 and AC

On Tue, 27 May 2008, Jonas Sicking wrote:
> 
> What I suggest is that we prohibit the Access-Control-Policy-Path header 
> from being used on URIs that include the string "..\", in escaped or 
> unescaped form. One worry with this is if there are encodings which put 
> the '.' or '\' characters to other codepoints than 2E and 5C 
> respectively. I.e. would we need to forbid its use on URIs other than 
> ones containing
> 
> (.|%2e)(.|%2e)(\|%5c)

I could live with that.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 28 May 2008 00:22:11 UTC