我的书签
添加书签
移除书签Authorization Policy Normalization
For more information, please refer to authorization normalization best practices.
This applies to the paths and notPaths field.
Istio will normalize the single percent-encoded character as follows (normalization happens only once, no double decoding):
For example, the request with path /some%2fdata/%61%62%63 will be normalized to /some/data/abc.
2. Backslash (\)
Istio will normalize the backslash \ to the forward slash /. For example, the request with path will be normalized to /some/data.
This is enabled by default with the normalization option BASE.
3. Multiple forward slashes (//, ///, etc.)
Istio will merge multiple forward slashes to a single forward slash (/). For example, the request with path /some//data///abc will be normalized to /some/data/abc.
Istio will resolve single dot /./ and double dot /../ according to RFC 3986. The single dot will be resolved as the current directory, and the double dots will be resolved as the parent directory.
For example, /public/./data/abc/../xyz will be normalized to /public/data/xyz.
This is enabled by default with the normalization option BASE.
4. Path with query (/foo?v=1)
Istio authorization policy will remove anything after the question mark (?) when comparing with the path. Note the backend application will still see the query.
This is enabled by default.
This applies to the methods and notMethods field.
1. Method not in upper case
Istio will reject requests with HTTP 400 if the verb in the HTTP request is not in upper case.
This applies to the header name specified in the request.headers[<header-name>] condition.
Istio authorization policy will compare the header name with a case-insensitive approach.
This is enabled by default.
2. Duplicate headers
Istio will merge duplicate headers to a single header by concatenating all values using comma as a separator.
The authorization policy will do a simple string match on the merged headers. For example, a request with header x-header: foo and x-header: bar will be merged to x-header: foo,bar.
This is enabled by default.
3. White space in header name
Istio will reject requests with HTTP 400 if the header name includes any white spaces.
