W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [CSP] URI/IRI normalization and comparison

From: Brian Smith <brian@briansmith.org>
Date: Tue, 11 Nov 2014 14:44:02 -0800
Message-ID: <CAFewVt6e_j1n0JVD5QUHRXcXmYB3RQH-339tnpqU1ZMpA2HNeg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Nov 10, 2014 at 1:07 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Mon, Nov 10, 2014 at 2:43 AM, Brian Smith <brian@briansmith.org> wrote:
>> To fix this, I think that a new normalization rule based on the WHATWG
>> URL standard's "percent-decode" algorithm is needed.
>
> If someone could file a bug against the URL Standard with the
> requirements, I'd be happy to work out a way to compare URLs that does
> normalization that a browser typically does not perform and a server
> might not perform. I think that is indeed mostly in the
> percent-encoding area. E.g. browsers will make different fetches for
> /%40 and /@ even though the server might return the same resource.

Good point. I believe that the syntax for CSP paths must be able to
encode, *exactly*, the syntax of paths that a browser will emit in
HTTP requests. This may mean that the current spec is just plain wrong
in requiring the escaping of "," and ";". It is probably the case that
the syntax for CSP paths needs to be changed to add a quoting
mechanism for paths that is compatible with the HTTP quoting
mechanism. This would be a backward-incompatible change from what is
currently specified in the CSP2 draft, so it should be fixed before
CSP2 is finalized.

Cheers,
Brian
Received on Tuesday, 11 November 2014 22:44:29 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC