Re: [CSP] URI/IRI normalization and comparison

On Thu, Jan 15, 2015 at 6:54 PM, Brian Smith <brian@briansmith.org> wrote:

> 1. Stop referring to any RFCs for URI normalization. Instead, define
> the comparison in terms of the HTML5 URL comparison rules.
>

I've taken a stab at this in
https://github.com/w3c/webappsec/commit/ae22342195ef00120c2a0d1ec1edb47b03bc5681.
WDYT?


> 2. Don't require double-escaping. Double-escaping is required in order
> to allow paths to include "," and ";", but it causes unintuitive
> behavior for many other situations (any path that contains '%'). I
> suggest for CSP2 that you simply don't allow paths to contain "," and
> ";". In a future version, we can define a new escaping syntax that
> would allow paths to contain those two characters, e.g.
> "urlencoded:<url>".
>

Hrm. Given the limited number of source expressions that we'd expect to
contain either of those characters, it's not clear that this is actually a
better thing to confuse developers about than the encoding related to URLs
containing '%'.

3. Allow IRIs (unescaped unicode characters), but recommend (not
> require) that non-ASCII characters be escaped when the policy appears
> in an HTTP header.
>

I'd like to defer this to CSP3. For the moment, the spec requires entry of
internationalized domain names as Punycode; that seems like a good baseline
of support that we can build upon. Filed
https://github.com/w3c/webappsec/issues/145 to track it.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)