Thomas Roessler wrote:
On 2008-05-27 11:00:44 -0700, Jonas Sicking wrote:
What I suggest is that we prohibit the Access-Control-Policy-Path
header from being used on URIs that include the string "..\", in
escaped or unescaped form. One worry with this is if there are
encodings which put the '.' or '\' characters to other codepoints
than 2E and 5C respectively. I.e. would we need to forbid its
use on URIs other than ones containing
That sounds like perpetuating a bad hack in a spec. I'd rather see
us say -- in a note somewhere in the spec -- that servers will want
to be careful, and will want to, e.g., configure their respective
web application firewall to prevent this attack from occuring.
That's very different from having specific client conformance
requirements around this kind of server behavior.
I really dislike it too, but just putting a "be careful" note in the
spec isn't going to help anyone.
If we don't put this in the spec I suspect that in reality this is
something that implementations are going to want to do anyway. I guess
I'm fine with having this as a non-normative note to ensure that
implementations that want to be on the safe side can.
But at that point we might as well enforce it in the spec too so that
sites can rely on it.
/ Jonas
