W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CfC: Transition CSP2 to CR.

From: Brian Smith <brian@briansmith.org>
Date: Mon, 9 Feb 2015 03:42:17 -0800
Message-ID: <CAFewVt70BG_ZGTR8N-qfiVi3onV62e0dqAgmaEeROvXE+ZrGQQ@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>
Mike West <mkwst@google.com> wrote:
>> 1. The semantics of CSP nonce. It is clear what Mike thinks, and I
>> hope it is clear what I think, but it is not clear whether others'
>> silence is agreement with what the spec currently says, apathy, or an
>> indication that the issue hasn't been sufficiently considered. I think
>> it is better for the spec to be made more secure by making the changes
>> I suggested in the "Clarifications on nonces" thread, but if there's a
>> consensus in the working group that it is important for the nonce to
>> be able to be passed around like a bearer token, I won't argue
>> further. My concern is that it hasn't been adequately considered.
>
> Ok. I'm not sure how to measure consensus here. :) You (and Dev?) aren't
> fond of nonces' current behavior. I am. Hopefully other folks will weigh in.

I agree. It would be good to make sure that people understand the
issue and make the spec says something that has been verified to be
the consensus of the working group.

>> 2. As I mentioned previously, I think it is really unfortunate that
>> CSP2 isn't properly Unicode-enabled. I know that nobody is
>> intentionally trying to discriminate against any group of people, but
>> IMO this incidental discrimination shouldn't be accepted either. I
>> think this issue deserves the same level of consideration as
>> accessibility for people with visual impairments. (Note I'm not trying
>> to diminish the importance of accessibility work.)
>
> To be sure I understand what needs to be done here, you'd like us to:
>
> * Remove the recommendation to use punycode (what should we do with
> punycode? should it match its unicode equiv?)

In the ASCII encoding of an internationalized URL, two different
encoding mechanisms are used: punycode for domain labels, and
URL-escaped UTF-8 (IIRC) for everything else. So, it isn't just an
issue with punycode.

Yes, a URL should be considered equal to its ASCII-ified (IRI-to-URI)
equivalent. So, for example,

> * Allow unicode characters as part of the grammar

> * Recommend that folks %-encode unicode characters when delivered as an HTTP
> header

Not just %-encoded, but convert the IRI to a URI. In particular,
punycode should be used for the domain labels in the authority, and
the path and query string should be converted to UTF-8 and then
normalized and URL-encoded.

It would be worth verifying with Anne about whether this is exactly
correct. I'm assuming that the URL Standard has the capability of
taking an URL Standard URL (which are internationalized) and
converting it into an on-the-wire ASCII encoding that is like an
IETF-specified URI.

Cheers,
Brian
Received on Monday, 9 February 2015 11:42:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC