On Tue, 27 May 2008, Jonas Sicking wrote: > > What I suggest is that we prohibit the Access-Control-Policy-Path header > from being used on URIs that include the string "..\", in escaped or > unescaped form. One worry with this is if there are encodings which put > the '.' or '\' characters to other codepoints than 2E and 5C > respectively. I.e. would we need to forbid its use on URIs other than > ones containing > > (.|%2e)(.|%2e)(\|%5c)
I could live with that. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
