W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [CSP] URI/IRI normalization and comparison

From: Brad Hill <hillbrad@gmail.com>
Date: Thu, 15 Jan 2015 18:17:09 +0000
Message-ID: <CAEeYn8jNhmtnm7Gg=zAGRQF0tU7WNiB612HXtqNZ02Akvwz4fw@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>, Mike West <mkwst@google.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Umm... ; in a path is pretty common, isn't it?  I don't know if we can just
refuse to allow it.  ni:/// URIs use it, e.g. which are pretty much brand
new and which we're using in SRI.

On Thu Jan 15 2015 at 9:56:44 AM Brian Smith <brian@briansmith.org> wrote:

> Mike West <mkwst@google.com> wrote:
> > Hi Brian and Anne!
> >
> > After reading this thread through, I'm confused. It's clear there's a
> > problem, but it's not clear what's being suggested as a solution. :)
> >
> > Would one of you mind summarizing the concrete suggestions? I'm happy to
> > make whatever spec changes make sense to resolve the encoding problems
> > you've pointed out.
>
> I would suggest:
>
> 1. Stop referring to any RFCs for URI normalization. Instead, define
> the comparison in terms of the HTML5 URL comparison rules.
>
> 2. Don't require double-escaping. Double-escaping is required in order
> to allow paths to include "," and ";", but it causes unintuitive
> behavior for many other situations (any path that contains '%'). I
> suggest for CSP2 that you simply don't allow paths to contain "," and
> ";". In a future version, we can define a new escaping syntax that
> would allow paths to contain those two characters, e.g.
> "urlencoded:<url>".
>
> 3. Allow IRIs (unescaped unicode characters), but recommend (not
> require) that non-ASCII characters be escaped when the policy appears
> in an HTTP header.
>
> Cheers,
> Brian
>
>
Received on Thursday, 15 January 2015 18:17:36 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC