Ian Hickson wrote:
On Sun, 25 May 2008, Jonas Sicking wrote:
Access Control for Cross-Site Requests
* Need to deal with Access-Control-Policy-Path normalization
Done.
I think we do need to deal with this. Just leaving it be will I think
will cause exploitable servers out there.
I don't understand how this is different to anything else that servers can
do to shoot themselves in the foot. I think that the danger for authors
using misconfigured and IIS servers is far outweighed by the benefit to
all authors in terms of the reduced load. Firing an OPTIONS request for
every single request is a high cost.
It is different in its likelihood to happen. I think we can expect
people to deploy all the features of this spec on IIS. We do have a
requirement that the spec should be deployable on existing servers and I
think we're currently failing that requirement.
What I suggest is that we prohibit the Access-Control-Policy-Path header
from being used on URIs that include the string "..\", in escaped or
unescaped form. One worry with this is if there are encodings which put
the '.' or '\' characters to other codepoints than 2E and 5C
respectively. I.e. would we need to forbid its use on URIs other than
ones containing
(.|%2e)(.|%2e)(\|%5c)
/ Jonas