Umm... ; in a path is pretty common, isn't it? I don't know if we can just refuse to allow it. ni:/// URIs use it, e.g. which are pretty much brand new and which we're using in SRI. On Thu Jan 15 2015 at 9:56:44 AM Brian Smith <brian@briansmith.org> wrote: > Mike West <mkwst@google.com> wrote: > > Hi Brian and Anne! > > > > After reading this thread through, I'm confused. It's clear there's a > > problem, but it's not clear what's being suggested as a solution. :) > > > > Would one of you mind summarizing the concrete suggestions? I'm happy to > > make whatever spec changes make sense to resolve the encoding problems > > you've pointed out. > > I would suggest: > > 1. Stop referring to any RFCs for URI normalization. Instead, define > the comparison in terms of the HTML5 URL comparison rules. > > 2. Don't require double-escaping. Double-escaping is required in order > to allow paths to include "," and ";", but it causes unintuitive > behavior for many other situations (any path that contains '%'). I > suggest for CSP2 that you simply don't allow paths to contain "," and > ";". In a future version, we can define a new escaping syntax that > would allow paths to contain those two characters, e.g. > "urlencoded:<url>". > > 3. Allow IRIs (unescaped unicode characters), but recommend (not > require) that non-ASCII characters be escaped when the policy appears > in an HTTP header. > > Cheers, > Brian > >
Received on Thursday, 15 January 2015 18:17:36 UTC