W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2015

Re: CORS performance proposal

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sat, 21 Feb 2015 08:43:34 +0100
Message-ID: <CADnb78jX8XXYFbKgGHG+m11Mn3NdsyZSy9s_+qMLrt=yFH0HLw@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>
On Fri, Feb 20, 2015 at 9:38 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> On Fri, Feb 20, 2015 at 1:05 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> An alternative is that we attempt to introduce
>> Access-Control-Policy-Path again from 2008. The problems you raised
>> https://lists.w3.org/Archives/Public/public-appformats/2008May/0037.html
>> seem surmountable. URL parsing is defined in more detail these days
>> and we could simply ban URLs containing escaped \ and /.
>
> I do remember that another issue that came up back then was that
> servers would treat more than just '\', or the escaped version
> thereof, as a /. But also any character whose low-byte was equal to
> the ascii code for '\' or '/'. I.e. the server would just cut the
> high-byte when doing some internal 2byte-string to 1byte-string
> conversion. Potentially this conversion is affected by what character
> encodings the server is configured for too, but i'm less sure about
> that.

High-byte of what? A URL is within ASCII range when it reaches the
server. This is the first time I hear of this.


-- 
https://annevankesteren.nl/
Received on Saturday, 21 February 2015 07:44:01 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:27:25 UTC