Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure that public HostSource ctor URL encodes comma and semicolon characters #166

Closed
shekyan opened this issue Dec 21, 2016 · 0 comments
Closed

Ensure that public HostSource ctor URL encodes comma and semicolon characters #166

shekyan opened this issue Dec 21, 2016 · 0 comments

Comments

@shekyan
Copy link
Collaborator

shekyan commented Dec 21, 2016
edited
Loading

While discussing #165 (comment), we agreed that semicolons are allowed by source expression grammar (path-part, in particular. ). However, semicolon is a directive delimiter, and comma is a policy delimiter.

While it is not possible to parse a policy that whitelists a URL containing ; or ,, it should be possible to parse and match percent encoded versions of such URLs. https://w3c.github.io/webappsec-csp/#match-paths covers this part by requiring to percent decode paths before matching.
shekyan added a commit to shekyan/salvation that referenced this issue Jan 1, 2017
@shekyan
fixes shapesecurityGH-166:
8153fec 
- handle `,` and `;` characters in source expression
- refactor path matching algorithm to reflect latest specification
shekyan added a commit to shekyan/salvation that referenced this issue Jan 2, 2017
@shekyan
fixes shapesecurityGH-166:
377c625 
- handle `,` and `;` characters in source expression
- refactor path matching algorithm to reflect latest specification
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@shekyan