Makes sense: added as
https://dvcs.w3.org/hg/content-security-policy/rev/508b840781ca
-mike
--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
On Sat, Mar 9, 2013 at 12:24 AM, Daniel Veditz <dveditz@mozilla.com> wrote:
> On 3/1/2013 12:24 PM, Nick Krempel wrote:
>
>> Given a host source expression like "http://www.w3.org/scripts/", I
>> couldn't see any wording in the CSP 1.1 draft to make sure that
>> "http://www.w3.org/scripts/../**bad.js<http://www.w3.org/scripts/../bad.js>"
>> doesn't match it. Is this a problem?
>>
>
> It's not a problem if user agents canonicalize URLs according to
> http://tools.ietf.org/html/**rfc3986#section-6.2.2.3<http://tools.ietf.org/html/rfc3986#section-6.2.2.3>before applying CSP restrictions. Firefox does and I assume Chrome does
> too, but it probably wouldn't hurt to mention it explicitly in the spec.
>
>
> The 3.2.2 Source List section of the CSP spec does mention two parts of
> rfc3986 in the syntax section. We should add a step 0 to section 3.2.2.2
> "Matching"
>
> 0. The URI must be normalized according to RFC 3986 section 6
> 1. If the source expression....
>
> -Dan Veditz
>
>