Re: Canonical paths

On 3/1/2013 12:24 PM, Nick Krempel wrote:
> Given a host source expression like "", I
> couldn't see any wording in the CSP 1.1 draft to make sure that
> "" doesn't match it. Is this a problem?

It's not a problem if user agents canonicalize URLs according to before applying CSP 
restrictions. Firefox does and I assume Chrome does too, but it probably 
wouldn't hurt to mention it explicitly in the spec.

The 3.2.2 Source List section of the CSP spec does mention two parts of 
rfc3986 in the syntax section. We should add a step 0 to section 

   0. The URI must be normalized according to RFC 3986 section 6
   1. If the source expression....

-Dan Veditz

Received on Friday, 8 March 2013 23:25:16 UTC