W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CfC: Transition CSP2 to CR.

From: Mike West <mkwst@google.com>
Date: Mon, 9 Feb 2015 12:45:07 +0100
Message-ID: <CAKXHy=cqao0J9D=enkVPYy-LiyqZf89K9kQeW_6ObTEDv1wT1g@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>, Anne van Kesteren <annevk@annevk.nl>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>
On Mon, Feb 9, 2015 at 12:42 PM, Brian Smith <brian@briansmith.org> wrote:

> >> 2. As I mentioned previously, I think it is really unfortunate that
> >> CSP2 isn't properly Unicode-enabled. I know that nobody is
> >> intentionally trying to discriminate against any group of people, but
> >> IMO this incidental discrimination shouldn't be accepted either. I
> >> think this issue deserves the same level of consideration as
> >> accessibility for people with visual impairments. (Note I'm not trying
> >> to diminish the importance of accessibility work.)
> >
> > To be sure I understand what needs to be done here, you'd like us to:
> >
> > * Remove the recommendation to use punycode (what should we do with
> > punycode? should it match its unicode equiv?)
>
> In the ASCII encoding of an internationalized URL, two different
> encoding mechanisms are used: punycode for domain labels, and
> URL-escaped UTF-8 (IIRC) for everything else. So, it isn't just an
> issue with punycode.
>
> Yes, a URL should be considered equal to its ASCII-ified (IRI-to-URI)
> equivalent. So, for example,
>
> > * Allow unicode characters as part of the grammar
>
> > * Recommend that folks %-encode unicode characters when delivered as an
> HTTP
> > header
>
> Not just %-encoded, but convert the IRI to a URI. In particular,
> punycode should be used for the domain labels in the authority, and
> the path and query string should be converted to UTF-8 and then
> normalized and URL-encoded.
>
> It would be worth verifying with Anne about whether this is exactly
> correct. I'm assuming that the URL Standard has the capability of
> taking an URL Standard URL (which are internationalized) and
> converting it into an on-the-wire ASCII encoding that is like an
> IETF-specified URI.
>

Anne? :)

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 9 February 2015 11:45:55 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC