On Fri, Feb 20, 2015 at 9:38 PM, Jonas Sicking <jo...@sicking.cc> wrote: > On Fri, Feb 20, 2015 at 1:05 AM, Anne van Kesteren <ann...@annevk.nl> wrote: >> An alternative is that we attempt to introduce >> Access-Control-Policy-Path again from 2008. The problems you raised >> https://lists.w3.org/Archives/Public/public-appformats/2008May/0037.html >> seem surmountable. URL parsing is defined in more detail these days >> and we could simply ban URLs containing escaped \ and /. > > I do remember that another issue that came up back then was that > servers would treat more than just '\', or the escaped version > thereof, as a /. But also any character whose low-byte was equal to > the ascii code for '\' or '/'. I.e. the server would just cut the > high-byte when doing some internal 2byte-string to 1byte-string > conversion. Potentially this conversion is affected by what character > encodings the server is configured for too, but i'm less sure about > that.
High-byte of what? A URL is within ASCII range when it reaches the server. This is the first time I hear of this. -- https://annevankesteren.nl/
