Re: draft-montenegro-httpbis-uri-encoding
Zhong Yu <zhong.j.yu@gmail.com> Mon, 24 March 2014 15:07 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED9DA1A019E for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 24 Mar 2014 08:07:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.012
X-Spam-Level:
X-Spam-Status: No, score=-7.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wYiaZdomyMTw for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 24 Mar 2014 08:07:38 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id BF0811A0218 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 24 Mar 2014 08:07:35 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1WS6Si-0000gQ-G6 for ietf-http-wg-dist@listhub.w3.org; Mon, 24 Mar 2014 15:06:52 +0000
Resent-Date: Mon, 24 Mar 2014 15:06:52 +0000
Resent-Message-Id: <E1WS6Si-0000gQ-G6@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <zhong.j.yu@gmail.com>) id 1WS6SV-0000dZ-2h for ietf-http-wg@listhub.w3.org; Mon, 24 Mar 2014 15:06:39 +0000
Received: from mail-oa0-f45.google.com ([209.85.219.45]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <zhong.j.yu@gmail.com>) id 1WS6SU-0006vQ-6h for ietf-http-wg@w3.org; Mon, 24 Mar 2014 15:06:39 +0000
Received: by mail-oa0-f45.google.com with SMTP id eb12so5695678oac.32 for <ietf-http-wg@w3.org>; Mon, 24 Mar 2014 08:06:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=nO+GOnsIHEOBuxBrUiaaO+pRA/uCEOTwDqpPMsgm18w=; b=ejtl4nJlqzsTLNG0W4KVYrpEOk+DJcJp0I37pXsbJR8ER7LznNHyVUx+qGXYm01I+2 cOEeH3nidODK3uBvsh85Gr9GqHApEbAk1uFz8csOVO9h2s37YslV836P84CJhKjEEw6Z z2nuDGqi7FWa9vgO3FEPoPZ761rnnVgQK4nt1DmCrrTs+m3eRbYqj8+HnTM1TiJtsWjQ +TIIfG4ie8E/IstMtlQ6MOoognHnRfq8+IhJpmL18zDhf3w5lxeT1pVs/EH23mdEhipC 0VdSGf13luSYSIscnh3wh1la0ZocVTqVyeNHHS7B/OE3xPQ0iT8naK/qp8vy4xFzFnck KV6Q==
MIME-Version: 1.0
X-Received: by 10.182.149.168 with SMTP id ub8mr1285918obb.74.1395673572255; Mon, 24 Mar 2014 08:06:12 -0700 (PDT)
Received: by 10.76.106.140 with HTTP; Mon, 24 Mar 2014 08:06:12 -0700 (PDT)
In-Reply-To: <545475f4642c9923d2ab076798a24ad6.squirrel@arekh.dyndns.org>
References: <F7DFCF7F-8958-462C-BA97-FBBC96BBEE7D@mnot.net> <CACuKZqFjHXxzmO8onrggPDn7V18DRsMap2USsxPFA8KHDGYjig@mail.gmail.com> <532C6089.4090307@gmx.de> <CACuKZqFYG9HAp+1b0aVcjbRLO7tApVfAuBq0wxxvcB-2oz9U8Q@mail.gmail.com> <380F3763-CAC9-45AF-A5D5-5B9AA9E2D977@mnot.net> <545475f4642c9923d2ab076798a24ad6.squirrel@arekh.dyndns.org>
Date: Mon, 24 Mar 2014 10:06:12 -0500
Message-ID: <CACuKZqHbU4hegYrMkCAWJY7xHpX9quyg47wRnQV-ko3cwONLQQ@mail.gmail.com>
From: Zhong Yu <zhong.j.yu@gmail.com>
To: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Cc: Mark Nottingham <mnot@mnot.net>, "Julian F. Reschke" <julian.reschke@gmx.de>, Gabriel Montenegro <gabriel.montenegro@microsoft.com>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=209.85.219.45; envelope-from=zhong.j.yu@gmail.com; helo=mail-oa0-f45.google.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-2.705, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1WS6SU-0006vQ-6h 5b83b7fa56c3eba382ededd9ba2144b9
X-Original-To: ietf-http-wg@w3.org
Subject: Re: draft-montenegro-httpbis-uri-encoding
Archived-At: <http://www.w3.org/mid/CACuKZqHbU4hegYrMkCAWJY7xHpX9quyg47wRnQV-ko3cwONLQQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/22875
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi, can you give a specific example? A real-world URL you want to block, and how an adversary could circumvent it. The threat model may be obvious to your industry, but not so much to the others. On Mon, Mar 24, 2014 at 4:20 AM, Nicolas Mailhot <nicolas.mailhot@laposte.net> wrote: > > Le Sam 22 mars 2014 00:30, Mark Nottingham a écrit : > >> In particular, this seems like something that needs to be coupled to >> *where* the link originates; e.g., a browsers' behaviour for a link from >> an address bar is likely to be different than that from an 'a' tag, and >> even again different from a JavaScript-generated link. > > True. > What last decade unicode migration taught us, is that once you allow text > with undefined encoding in the pipeline, things are going to fail. > Encoding really wants to be end-to-end. > > Still, this is little different from mime-types, where everyone relies on > mime-type hints for things to work well, but servers and web clients > sometimes have to infer them in less-than optimal ways to fill in the http > headers. Asking for url encoding to be defined at the http level (with a > fallback to a clear encoding default otherwise) is similar, with the > detection pushed to servers and web clients, which will presumably push > for better behaviour elsewhere to avoid being saddled with the heuristics > currently pushed on network nodes. > > I'll add that we are living in an insecure world right now, that to > mitigate security problems everyone has been adding blacklists of > known-bad urls (from browsers to java to adobe reader to various security > extensions) but those blacklists rely on someone being able to review and > curate them. Which is obviously is a problem when you start to accept URLs > you're not able to decode or display in any reasonable manner. > > Regards, > > -- > Nicolas Mailhot >
- Re: draft-montenegro-httpbis-uri-encoding Nicolas Mailhot
- draft-montenegro-httpbis-uri-encoding Mark Nottingham
- Re: draft-montenegro-httpbis-uri-encoding Matthew Kerwin
- Re: draft-montenegro-httpbis-uri-encoding Amos Jeffries
- Re: draft-montenegro-httpbis-uri-encoding Mark Nottingham
- Re: draft-montenegro-httpbis-uri-encoding Julian Reschke
- Re: draft-montenegro-httpbis-uri-encoding Nicolas Mailhot
- Re: draft-montenegro-httpbis-uri-encoding Julian Reschke
- Re: draft-montenegro-httpbis-uri-encoding Amos Jeffries
- Re: draft-montenegro-httpbis-uri-encoding Amos Jeffries
- Re: draft-montenegro-httpbis-uri-encoding Nicolas Mailhot
- Re: draft-montenegro-httpbis-uri-encoding Julian Reschke
- Re: draft-montenegro-httpbis-uri-encoding Nicolas Mailhot
- Re: draft-montenegro-httpbis-uri-encoding Julian Reschke
- Re: draft-montenegro-httpbis-uri-encoding Michael Sweet
- Re: draft-montenegro-httpbis-uri-encoding Bjoern Hoehrmann
- Re: draft-montenegro-httpbis-uri-encoding Nicolas Mailhot
- Re: draft-montenegro-httpbis-uri-encoding Mike Belshe
- Re: draft-montenegro-httpbis-uri-encoding Julian Reschke
- Re: draft-montenegro-httpbis-uri-encoding Nicolas Mailhot
- Re: draft-montenegro-httpbis-uri-encoding Julian Reschke
- Re: draft-montenegro-httpbis-uri-encoding Martin J. Dürst
- Re: draft-montenegro-httpbis-uri-encoding Nicolas Mailhot
- Re: draft-montenegro-httpbis-uri-encoding Julian Reschke
- Re: draft-montenegro-httpbis-uri-encoding Nicolas Mailhot
- Re: draft-montenegro-httpbis-uri-encoding Nicolas Mailhot
- Re: draft-montenegro-httpbis-uri-encoding Poul-Henning Kamp
- Re: draft-montenegro-httpbis-uri-encoding Julian Reschke
- Re: draft-montenegro-httpbis-uri-encoding Julian Reschke
- Re: draft-montenegro-httpbis-uri-encoding Poul-Henning Kamp
- Re: draft-montenegro-httpbis-uri-encoding Martin Nilsson
- Re: draft-montenegro-httpbis-uri-encoding Nicolas Mailhot
- Re: draft-montenegro-httpbis-uri-encoding Willy Tarreau
- Re: draft-montenegro-httpbis-uri-encoding Julian Reschke
- Re: draft-montenegro-httpbis-uri-encoding Julian Reschke
- Re: draft-montenegro-httpbis-uri-encoding Nicolas Mailhot
- Re: draft-montenegro-httpbis-uri-encoding Poul-Henning Kamp
- Re: draft-montenegro-httpbis-uri-encoding Bjoern Hoehrmann
- Re: draft-montenegro-httpbis-uri-encoding Julian Reschke
- Re: draft-montenegro-httpbis-uri-encoding Poul-Henning Kamp
- Re: draft-montenegro-httpbis-uri-encoding Zhong Yu
- Re: draft-montenegro-httpbis-uri-encoding Bjoern Hoehrmann
- Re: draft-montenegro-httpbis-uri-encoding Zhong Yu
- Re: draft-montenegro-httpbis-uri-encoding Julian Reschke
- Re: draft-montenegro-httpbis-uri-encoding Zhong Yu
- Re: draft-montenegro-httpbis-uri-encoding Bjoern Hoehrmann
- Re: draft-montenegro-httpbis-uri-encoding Martin J. Dürst
- Re: draft-montenegro-httpbis-uri-encoding Mark Nottingham
- RE: draft-montenegro-httpbis-uri-encoding Gabriel Montenegro
- RE: draft-montenegro-httpbis-uri-encoding Julian Reschke
- Re: draft-montenegro-httpbis-uri-encoding Julian Reschke
- Re: draft-montenegro-httpbis-uri-encoding Zhong Yu
- Re: draft-montenegro-httpbis-uri-encoding Julian Reschke
- Re: draft-montenegro-httpbis-uri-encoding Martin J. Dürst
- Re: draft-montenegro-httpbis-uri-encoding Martin J. Dürst
- Re: draft-montenegro-httpbis-uri-encoding Nicolas Mailhot
- Re: draft-montenegro-httpbis-uri-encoding Zhong Yu
- Re: draft-montenegro-httpbis-uri-encoding Bjoern Hoehrmann