- From: Brian Smith <brian@briansmith.org>
- Date: Sun, 18 Jan 2015 21:28:17 -0800
- To: Brad Hill <hillbrad@gmail.com>
- Cc: Mike West <mkwst@google.com>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Hill <hillbrad@gmail.com> wrote: > Umm... ; in a path is pretty common, isn't it? I don't know if we can just > refuse to allow it. ni:/// URIs use it, e.g. which are pretty much brand > new and which we're using in SRI. Note that if you include the ";" character in a ni:/// URL in a CSP source expression, you'll need to percent-encoded the ";" character, so it will be even more of an unreadable mess than it normally is. But, would anybody actually ever include the ";" character in a ni:/// URL in a CSP source expression? ";" is used for appending the parameters to the digest used in the ni:/// URL. It doesn't seem particularly helpful to include the parameters in a ni:/// URL used in a CSP source expression. Anyway, I admit that the idea of temporarily not allowing ";" and "," in source expressions is not that great. But, the double-URL-escaping seems worse to me, in terms of usability, especially for users of languages that can't be encoded in ASCII. Cheers, Brian
Received on Monday, 19 January 2015 05:28:43 UTC