[CSP] URI/IRI normalization and comparison from Brian Smith on 2014-11-06 (public-webappsec@w3.org from November 2014)

From: Brian Smith <brian@briansmith.org>
Date: Thu, 6 Nov 2014 14:24:41 -0800
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAFewVt54eDF=2ZNPUXR79wn2i555bqRTc-LpDjfcHj5KGzDC6Q@mail.gmail.com>

1. In section 4.2.2, the first step is "Normalize the URI according to
Section 6 of RFC3986." However, there is no step for normalizing the
source expression. I think the source expression should be normalized
too.

2. That same requirement does not take into account IRIs. I think that
instead of referencing Section 6 of RFC3986 (which is oblivious to
IRIs), the spec should instead reference Section 5 of RFC3987, where
IRI normalization is defined. Or, even better, the specification
should defer to the HTML5 rules. if there are any. It would also be
good to have an example to call out the need to take into account
IRIs. I've included such an example below.

3. When Content-Security-Policy is defined as an HTTP header, it makes
sense to require IRIs to be converted to URIs because HTTP headers
cannot do Unicode. And, if one takes the "http-equiv" part of the
<meta> tag literally, then the same restriction makes sense for the
<meta> variant. However, since HTML *is* Unicode-capable, and because
dealing with punycode is a barrier to non-English-speaking users, it
may be better to allow IRI (Unicode) encoding in the <meta> version of
CSP. Maybe something to consider for future versions.

In the example below, note that "xn--wgv71a119e" is the punycode
encoding of "日本語" and that "日本語" is the Japanese word Nihongo, which
means "Japanese Language".

Example 1 (Chrome and Firefox both load a.js and b.js):

<!DOCTYPE html>
<meta charset="UTF-8">
<meta http-equiv=Content-Security-Policy
      content="script-src xn--wgv71a119e.example.com">
<script src="//xn--wgv71a119e.example.com/a.js"></script>
<script src="//日本語.example.com/b.js"></script>

Example 1 (Chrome complains about the invalid syntax in the policy,
and Chrome and Firefox both load a.js and b.js because the policy is
invalid):

<!DOCTYPE html>
<meta charset="UTF-8">
<meta http-equiv=Content-Security-Policy
      content="script-src 日本語.example.com">
<script src="//xn--wgv71a119e.example.com/a.js"></script>
<script src="//日本語.example.com/b.js"></script>

a.js: alert("a.js");
b.js: alert("b.js");

Cheers,
Brian

Received on Thursday, 6 November 2014 22:25:09 UTC