- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 27 Jun 2013 14:41:21 +0100
- To: Adam Barth <w3c@adambarth.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Wed, Jun 26, 2013 at 5:41 PM, Adam Barth <w3c@adambarth.com> wrote: > I guess I'm not sure what behavior you're advocating for... Are you > happy with the status quo? Would you prefer that we stripped the URL > ourselves without referring to rfc6454? I was not trying to advocate anything in particular. I was trying to understand why this field mixes various data types. > It sounds like you think we should always have a valid URL in this > field, which seems reasonable. If the blocked URL is a data URL, > presumably we don't want to send the whole data URL in the report... > Maybe we should find another way of summarizing the data URL that is > still a valid URL? If it's just data URLs for which this is a problem, "data:," is the shortest valid data URL I know of. But I think it might be a problem for blob URLs too. We could probably make the URL parser work for "data:" and "blob:". They would not be valid data or blob URLs, but would parse as URLs, if that makes sense. -- http://annevankesteren.nl/
Received on Thursday, 27 June 2013 13:41:48 UTC