- From: Brian Smith <brian@briansmith.org>
- Date: Thu, 6 Nov 2014 14:24:41 -0800
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
1. In section 4.2.2, the first step is "Normalize the URI according to Section 6 of RFC3986." However, there is no step for normalizing the source expression. I think the source expression should be normalized too. 2. That same requirement does not take into account IRIs. I think that instead of referencing Section 6 of RFC3986 (which is oblivious to IRIs), the spec should instead reference Section 5 of RFC3987, where IRI normalization is defined. Or, even better, the specification should defer to the HTML5 rules. if there are any. It would also be good to have an example to call out the need to take into account IRIs. I've included such an example below. 3. When Content-Security-Policy is defined as an HTTP header, it makes sense to require IRIs to be converted to URIs because HTTP headers cannot do Unicode. And, if one takes the "http-equiv" part of the <meta> tag literally, then the same restriction makes sense for the <meta> variant. However, since HTML *is* Unicode-capable, and because dealing with punycode is a barrier to non-English-speaking users, it may be better to allow IRI (Unicode) encoding in the <meta> version of CSP. Maybe something to consider for future versions. In the example below, note that "xn--wgv71a119e" is the punycode encoding of "日本語" and that "日本語" is the Japanese word Nihongo, which means "Japanese Language". Example 1 (Chrome and Firefox both load a.js and b.js): <!DOCTYPE html> <meta charset="UTF-8"> <meta http-equiv=Content-Security-Policy content="script-src xn--wgv71a119e.example.com"> <script src="//xn--wgv71a119e.example.com/a.js"></script> <script src="//日本語.example.com/b.js"></script> Example 1 (Chrome complains about the invalid syntax in the policy, and Chrome and Firefox both load a.js and b.js because the policy is invalid): <!DOCTYPE html> <meta charset="UTF-8"> <meta http-equiv=Content-Security-Policy content="script-src 日本語.example.com"> <script src="//xn--wgv71a119e.example.com/a.js"></script> <script src="//日本語.example.com/b.js"></script> a.js: alert("a.js"); b.js: alert("b.js"); Cheers, Brian
Received on Thursday, 6 November 2014 22:25:09 UTC