Re: CfC: Transition CSP2 to CR.

Bjoern Hoehrmann <derhoermi@gmx.net> wrote:
> I think there is currently no adequate specification to reference for
> use in a security-sensitive environment. Much as I would agree that
> non-ASCII characters in URIs and parts of URIs or equivalent protocol
> elements should be permissable wherever ASCII is permissable, I think
> it would be better to do this at a later time for CSP.

These issues exist for Link and other header fields too. I think there
should be a general framework for solutions to this problem of IRIs in
HTTP header fields. I agree that CSP 2 shouldn't have to create that
framework.

> (You ended that paragraph in the middle of a sentence.)

Just ignore that.

>>You mentioned that urlencode(normalize(utf8encode(...))) is most
>>probably wrong. However, consider a document that is NOT in UTF-8
>>encoding, but instead in Shift-JIS. I believe that there does need to
>>be a first step of converting the text to Unicode and then UTF-8
>>encoding the Unicode text. However, I could very well be wrong here.
>
> You have to decode character encodings, sure, but that does not seem
> relevant here.

It is relevant for CSP policies that are defined in <meta>.

Cheers,
Brian

Received on Wednesday, 11 February 2015 11:53:31 UTC