W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [CSP] URI/IRI normalization and comparison

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 7 Nov 2014 09:27:52 +0100
Message-ID: <CADnb78hL7o8eZXdyqGA2u6P1+zy7fX94CcoCWN=hMGVYfzFftg@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Nov 6, 2014 at 11:24 PM, Brian Smith <brian@briansmith.org> wrote:
> 1. In section 4.2.2, the first step is "Normalize the URI according to
> Section 6 of RFC3986." However, there is no step for normalizing the
> source expression. I think the source expression should be normalized
> too.

Also, section 6 defines many forms of normalization. You'd have to
pick one. However, I don't think URL parsing is implemented that way
in practice. https://url.spec.whatwg.org/ comes much closer and is
what we want to use here.

Per what encoding is a CSP header decoded? "original latin1"? (That
probably needs to be defined or some rule that non-ASCII is a fatal

> However, since HTML *is* Unicode-capable, and because
> dealing with punycode is a barrier to non-English-speaking users, it
> may be better to allow IRI (Unicode) encoding in the <meta> version of
> CSP. Maybe something to consider for future versions.

Yeah we should. If we use the URL parser per above there's not really
a distinction.

Received on Friday, 7 November 2014 08:28:19 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:42 UTC