Re: [CSP] URI/IRI normalization and comparison

Hill <hillbrad@gmail.com> wrote:
> Umm... ; in a path is pretty common, isn't it?  I don't know if we can just
> refuse to allow it.  ni:/// URIs use it, e.g. which are pretty much brand
> new and which we're using in SRI.

Note that if you include the ";" character in a ni:/// URL in a CSP
source expression, you'll need to percent-encoded the ";" character,
so it will be even more of an unreadable mess than it normally is.

But, would anybody actually ever include the ";" character in a ni:///
URL in a CSP source expression? ";" is used for appending the
parameters to the digest used in the ni:/// URL. It doesn't seem
particularly helpful to include the parameters in a ni:/// URL used in
a CSP source expression.

Anyway, I admit that the idea of temporarily not allowing ";" and ","
in source expressions is not that great. But, the double-URL-escaping
seems worse to me, in terms of usability, especially for users of
languages that can't be encoded in ASCII.

Cheers,
Brian

Received on Monday, 19 January 2015 05:28:43 UTC