- From: Mike West <mkwst@google.com>
- Date: Fri, 16 Jan 2015 11:06:59 +0100
- To: Brian Smith <brian@briansmith.org>
- Cc: Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=dq=4hCDubZ7rhMsdh_7sreJ+dHsYD338_sD5yDXBKKfw@mail.gmail.com>
On Thu, Jan 15, 2015 at 6:54 PM, Brian Smith <brian@briansmith.org> wrote: > 1. Stop referring to any RFCs for URI normalization. Instead, define > the comparison in terms of the HTML5 URL comparison rules. > I've taken a stab at this in https://github.com/w3c/webappsec/commit/ae22342195ef00120c2a0d1ec1edb47b03bc5681. WDYT? > 2. Don't require double-escaping. Double-escaping is required in order > to allow paths to include "," and ";", but it causes unintuitive > behavior for many other situations (any path that contains '%'). I > suggest for CSP2 that you simply don't allow paths to contain "," and > ";". In a future version, we can define a new escaping syntax that > would allow paths to contain those two characters, e.g. > "urlencoded:<url>". > Hrm. Given the limited number of source expressions that we'd expect to contain either of those characters, it's not clear that this is actually a better thing to confuse developers about than the encoding related to URLs containing '%'. 3. Allow IRIs (unescaped unicode characters), but recommend (not > require) that non-ASCII characters be escaped when the policy appears > in an HTTP header. > I'd like to defer this to CSP3. For the moment, the spec requires entry of internationalized domain names as Punycode; that seems like a good baseline of support that we can build upon. Filed https://github.com/w3c/webappsec/issues/145 to track it. -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 16 January 2015 10:07:47 UTC