- From: Brian Smith <brian@briansmith.org>
- Date: Thu, 15 Jan 2015 09:54:15 -0800
- To: Mike West <mkwst@google.com>
- Cc: Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Mike West <mkwst@google.com> wrote: > Hi Brian and Anne! > > After reading this thread through, I'm confused. It's clear there's a > problem, but it's not clear what's being suggested as a solution. :) > > Would one of you mind summarizing the concrete suggestions? I'm happy to > make whatever spec changes make sense to resolve the encoding problems > you've pointed out. I would suggest: 1. Stop referring to any RFCs for URI normalization. Instead, define the comparison in terms of the HTML5 URL comparison rules. 2. Don't require double-escaping. Double-escaping is required in order to allow paths to include "," and ";", but it causes unintuitive behavior for many other situations (any path that contains '%'). I suggest for CSP2 that you simply don't allow paths to contain "," and ";". In a future version, we can define a new escaping syntax that would allow paths to contain those two characters, e.g. "urlencoded:<url>". 3. Allow IRIs (unescaped unicode characters), but recommend (not require) that non-ASCII characters be escaped when the policy appears in an HTTP header. Cheers, Brian
Received on Thursday, 15 January 2015 17:54:42 UTC