- From: Brian Smith <brian@briansmith.org>
- Date: Tue, 11 Nov 2014 14:44:02 -0800
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Nov 10, 2014 at 1:07 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Mon, Nov 10, 2014 at 2:43 AM, Brian Smith <brian@briansmith.org> wrote: >> To fix this, I think that a new normalization rule based on the WHATWG >> URL standard's "percent-decode" algorithm is needed. > > If someone could file a bug against the URL Standard with the > requirements, I'd be happy to work out a way to compare URLs that does > normalization that a browser typically does not perform and a server > might not perform. I think that is indeed mostly in the > percent-encoding area. E.g. browsers will make different fetches for > /%40 and /@ even though the server might return the same resource. Good point. I believe that the syntax for CSP paths must be able to encode, *exactly*, the syntax of paths that a browser will emit in HTTP requests. This may mean that the current spec is just plain wrong in requiring the escaping of "," and ";". It is probably the case that the syntax for CSP paths needs to be changed to add a quoting mechanism for paths that is compatible with the HTTP quoting mechanism. This would be a backward-incompatible change from what is currently specified in the CSP2 draft, so it should be fixed before CSP2 is finalized. Cheers, Brian
Received on Tuesday, 11 November 2014 22:44:29 UTC