Makes sense: added as https://dvcs.w3.org/hg/content-security-policy/rev/508b840781ca -mike -- Mike West <mkwst@google.com>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 On Sat, Mar 9, 2013 at 12:24 AM, Daniel Veditz <dveditz@mozilla.com> wrote: > On 3/1/2013 12:24 PM, Nick Krempel wrote: > >> Given a host source expression like "http://www.w3.org/scripts/", I >> couldn't see any wording in the CSP 1.1 draft to make sure that >> "http://www.w3.org/scripts/../**bad.js<http://www.w3.org/scripts/../bad.js>" >> doesn't match it. Is this a problem? >> > > It's not a problem if user agents canonicalize URLs according to > http://tools.ietf.org/html/**rfc3986#section-6.2.2.3<http://tools.ietf.org/html/rfc3986#section-6.2.2.3>before applying CSP restrictions. Firefox does and I assume Chrome does > too, but it probably wouldn't hurt to mention it explicitly in the spec. > > > The 3.2.2 Source List section of the CSP spec does mention two parts of > rfc3986 in the syntax section. We should add a step 0 to section 3.2.2.2 > "Matching" > > 0. The URI must be normalized according to RFC 3986 section 6 > 1. If the source expression.... > > -Dan Veditz > >
Received on Monday, 18 March 2013 10:47:29 UTC