W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [CSP] URI/IRI normalization and comparison

From: Brian Smith <brian@briansmith.org>
Date: Sun, 18 Jan 2015 21:28:17 -0800
Message-ID: <CAFewVt4dZ9hFLZEeCVQKevmd9m+Q8bi4Zf72NxEP8SGNd3nPdg@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: Mike West <mkwst@google.com>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Hill <hillbrad@gmail.com> wrote:
> Umm... ; in a path is pretty common, isn't it?  I don't know if we can just
> refuse to allow it.  ni:/// URIs use it, e.g. which are pretty much brand
> new and which we're using in SRI.

Note that if you include the ";" character in a ni:/// URL in a CSP
source expression, you'll need to percent-encoded the ";" character,
so it will be even more of an unreadable mess than it normally is.

But, would anybody actually ever include the ";" character in a ni:///
URL in a CSP source expression? ";" is used for appending the
parameters to the digest used in the ni:/// URL. It doesn't seem
particularly helpful to include the parameters in a ni:/// URL used in
a CSP source expression.

Anyway, I admit that the idea of temporarily not allowing ";" and ","
in source expressions is not that great. But, the double-URL-escaping
seems worse to me, in terms of usability, especially for users of
languages that can't be encoded in ASCII.

Received on Monday, 19 January 2015 05:28:43 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC