W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [CSP] Relative/absolute hostname matching

From: Mike West <mkwst@google.com>
Date: Fri, 7 Nov 2014 11:05:17 +0100
Message-ID: <CAKXHy=ezgcq-2MBcjD_arYJOBcbpNTq4o2ze388pd9ynGWCe4Q@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Boris Zbarsky <bzbarsky@mit.edu>, Valentin Gosu <valentin.gosu@gmail.com>
On Fri, Nov 7, 2014 at 10:11 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

>
> It would be interesting to consider if we could normalize the dot away
> during URL parsing. This would make "http://example.com./" always load
> "http://example.com/" and we'd basically not expose a way to get to
> the former. Is that a realistic option?
>

My worry is that we'd be unable to support internal names on intranets. For
instance, consider an internal shortlinking service named `
go.internal.megacorp.com`, which is accessible by typing `go`. If we
automagically assume that `go` is `go.`, then we'd break the resolution,
right?

I think we'd have to limit the behavior to public suffixes, which seems
strange to bring into URL parsing.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 7 November 2014 10:06:11 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC