- From: Brian Smith <brian@briansmith.org>
- Date: Mon, 9 Feb 2015 03:42:17 -0800
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>
Mike West <mkwst@google.com> wrote: >> 1. The semantics of CSP nonce. It is clear what Mike thinks, and I >> hope it is clear what I think, but it is not clear whether others' >> silence is agreement with what the spec currently says, apathy, or an >> indication that the issue hasn't been sufficiently considered. I think >> it is better for the spec to be made more secure by making the changes >> I suggested in the "Clarifications on nonces" thread, but if there's a >> consensus in the working group that it is important for the nonce to >> be able to be passed around like a bearer token, I won't argue >> further. My concern is that it hasn't been adequately considered. > > Ok. I'm not sure how to measure consensus here. :) You (and Dev?) aren't > fond of nonces' current behavior. I am. Hopefully other folks will weigh in. I agree. It would be good to make sure that people understand the issue and make the spec says something that has been verified to be the consensus of the working group. >> 2. As I mentioned previously, I think it is really unfortunate that >> CSP2 isn't properly Unicode-enabled. I know that nobody is >> intentionally trying to discriminate against any group of people, but >> IMO this incidental discrimination shouldn't be accepted either. I >> think this issue deserves the same level of consideration as >> accessibility for people with visual impairments. (Note I'm not trying >> to diminish the importance of accessibility work.) > > To be sure I understand what needs to be done here, you'd like us to: > > * Remove the recommendation to use punycode (what should we do with > punycode? should it match its unicode equiv?) In the ASCII encoding of an internationalized URL, two different encoding mechanisms are used: punycode for domain labels, and URL-escaped UTF-8 (IIRC) for everything else. So, it isn't just an issue with punycode. Yes, a URL should be considered equal to its ASCII-ified (IRI-to-URI) equivalent. So, for example, > * Allow unicode characters as part of the grammar > * Recommend that folks %-encode unicode characters when delivered as an HTTP > header Not just %-encoded, but convert the IRI to a URI. In particular, punycode should be used for the domain labels in the authority, and the path and query string should be converted to UTF-8 and then normalized and URL-encoded. It would be worth verifying with Anne about whether this is exactly correct. I'm assuming that the URL Standard has the capability of taking an URL Standard URL (which are internationalized) and converting it into an on-the-wire ASCII encoding that is like an IETF-specified URI. Cheers, Brian
Received on Monday, 9 February 2015 11:42:44 UTC