- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Fri, 08 Mar 2013 15:24:41 -0800
- To: Nick Krempel <ndkrempel@google.com>
- CC: public-webappsec@w3.org
On 3/1/2013 12:24 PM, Nick Krempel wrote: > Given a host source expression like "http://www.w3.org/scripts/", I > couldn't see any wording in the CSP 1.1 draft to make sure that > "http://www.w3.org/scripts/../bad.js" doesn't match it. Is this a problem? It's not a problem if user agents canonicalize URLs according to http://tools.ietf.org/html/rfc3986#section-6.2.2.3 before applying CSP restrictions. Firefox does and I assume Chrome does too, but it probably wouldn't hurt to mention it explicitly in the spec. The 3.2.2 Source List section of the CSP spec does mention two parts of rfc3986 in the syntax section. We should add a step 0 to section 3.2.2.2 "Matching" 0. The URI must be normalized according to RFC 3986 section 6 1. If the source expression.... -Dan Veditz
Received on Friday, 8 March 2013 23:25:16 UTC