W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [CSP] URI/IRI normalization and comparison

From: Brian Smith <brian@briansmith.org>
Date: Thu, 15 Jan 2015 09:54:15 -0800
Message-ID: <CAFewVt4eOE47zGxciuHv-KXx2LhOzM1qUfdccD3oe_Sn+V3=GA@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Mike West <mkwst@google.com> wrote:
> Hi Brian and Anne!
>
> After reading this thread through, I'm confused. It's clear there's a
> problem, but it's not clear what's being suggested as a solution. :)
>
> Would one of you mind summarizing the concrete suggestions? I'm happy to
> make whatever spec changes make sense to resolve the encoding problems
> you've pointed out.

I would suggest:

1. Stop referring to any RFCs for URI normalization. Instead, define
the comparison in terms of the HTML5 URL comparison rules.

2. Don't require double-escaping. Double-escaping is required in order
to allow paths to include "," and ";", but it causes unintuitive
behavior for many other situations (any path that contains '%'). I
suggest for CSP2 that you simply don't allow paths to contain "," and
";". In a future version, we can define a new escaping syntax that
would allow paths to contain those two characters, e.g.
"urlencoded:<url>".

3. Allow IRIs (unescaped unicode characters), but recommend (not
require) that non-ASCII characters be escaped when the policy appears
in an HTTP header.

Cheers,
Brian
Received on Thursday, 15 January 2015 17:54:42 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC