W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [CSP] URI/IRI normalization and comparison

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 12 Nov 2014 09:55:31 +0100
Message-ID: <CADnb78jxU0QpUY=ULBrNR2Oy--KHKY6JqfGihv2krf-O3SmxOQ@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Nov 12, 2014 at 9:40 AM, Brian Smith <brian@briansmith.org> wrote:
> If you get a garbage Location like that for anything other than a
> redirect, you just ignore it. When you get a garbage Location like
> that for a redirect, you probably should just show an error page,
> though you'd have to do a survey of browser implementations to know
> for sure what to do.

As far as I know, and I have tested these things, is that we need to
follow it per how I described it.

> In other words, when processing URLs in HTTP headers, in general you
> need to deal with the URL according to RFC 3986 rules at the HTTP
> level, and deal with the URL using HTML5 rules at the HTML level.

That is nonsense.

E.g. we are required to support (note the space)

  Location: /x x/

in HTTP. We don't use a different URL parser for HTTP.

Received on Wednesday, 12 November 2014 08:55:58 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:42 UTC