- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Fri, 07 Sep 2012 00:02:22 -0400
- To: Adam Barth <w3c@adambarth.com>
- CC: public-webappsec@w3.org
On 9/6/12 11:48 PM, Adam Barth wrote: > HTTP operates in terms of URIs. Yes, but very few authors actually write HTTP servers. > I'm not sure I understand your question. Authors deal with > host-expressions the same way they deal with the HTTP Host header. Authors generally don't have to author Host headers; the UA sends those. They will, however, need to author host-expressions to actually use CSP. >> Why not? Everything else a browser has lying around (e.g. document >> locations) is IRIs. Are host-source expressions never compared to document >> locations? > > In the end, the browser needs to translate IRIs into URIs for use in > HTTP. Everything in CSP 1.0 is defined in terms of networking > operations OK, fair. > Indeed, but that's outside the scope of CSP 1.0. Yes, I understand that's your position. I just wish there were a way to make this stuff less of a footgun for authors... > Actually, if your issue is with the WebKit implementation, you can > just file a bug and I'll write a test in the course of fixing it. https://bugs.webkit.org/show_bug.cgi?id=96061 Note that I haven't looked through the Gecko version carefully (because regexps); it may have similar problems. > The short version is that the IETF insists that folks use IDNA2008, > but most browsers implement something closer to IDNA2003. IDNA2008 is > not backwards compatible with IDNA2003 and so will never actually be > deployed. Any attempts to hammer out a browser-consensus spec get > shouted down by folks who are pushing IDNA2008. I see. <sigh>. -Boris
Received on Friday, 7 September 2012 04:02:52 UTC