- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 7 Nov 2014 09:27:52 +0100
- To: Brian Smith <brian@briansmith.org>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Nov 6, 2014 at 11:24 PM, Brian Smith <brian@briansmith.org> wrote: > 1. In section 4.2.2, the first step is "Normalize the URI according to > Section 6 of RFC3986." However, there is no step for normalizing the > source expression. I think the source expression should be normalized > too. Also, section 6 defines many forms of normalization. You'd have to pick one. However, I don't think URL parsing is implemented that way in practice. https://url.spec.whatwg.org/ comes much closer and is what we want to use here. Per what encoding is a CSP header decoded? "original latin1"? (That probably needs to be defined or some rule that non-ASCII is a fatal error.) > However, since HTML *is* Unicode-capable, and because > dealing with punycode is a barrier to non-English-speaking users, it > may be better to allow IRI (Unicode) encoding in the <meta> version of > CSP. Maybe something to consider for future versions. Yeah we should. If we use the URL parser per above there's not really a distinction. -- https://annevankesteren.nl/
Received on Friday, 7 November 2014 08:28:19 UTC