- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 10 Nov 2014 10:07:04 +0100
- To: Brian Smith <brian@briansmith.org>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Nov 10, 2014 at 2:43 AM, Brian Smith <brian@briansmith.org> wrote: > To fix this, I think that a new normalization rule based on the WHATWG > URL standard's "percent-decode" algorithm is needed. If someone could file a bug against the URL Standard with the requirements, I'd be happy to work out a way to compare URLs that does normalization that a browser typically does not perform and a server might not perform. I think that is indeed mostly in the percent-encoding area. E.g. browsers will make different fetches for /%40 and /@ even though the server might return the same resource. It has always seemed like a bad idea to me to define CSP matching rules in terms of an RFC nobody adheres to. -- https://annevankesteren.nl/
Received on Monday, 10 November 2014 09:07:31 UTC