W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [CSP] URI/IRI normalization and comparison

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 10 Nov 2014 10:07:04 +0100
Message-ID: <CADnb78hqgo9bCHLBSRr8ZLibNNmQDQ9F9Lg85Nat=i3dYx0ing@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Nov 10, 2014 at 2:43 AM, Brian Smith <brian@briansmith.org> wrote:
> To fix this, I think that a new normalization rule based on the WHATWG
> URL standard's "percent-decode" algorithm is needed.

If someone could file a bug against the URL Standard with the
requirements, I'd be happy to work out a way to compare URLs that does
normalization that a browser typically does not perform and a server
might not perform. I think that is indeed mostly in the
percent-encoding area. E.g. browsers will make different fetches for
/%40 and /@ even though the server might return the same resource.

It has always seemed like a bad idea to me to define CSP matching
rules in terms of an RFC nobody adheres to.

Received on Monday, 10 November 2014 09:07:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:42 UTC