Constant-time handling #7
Description
For the paranoid.
If a capability URL is a secret, then it needs to be treated as such.
URL encoding
Encoding a URL, which by definition uses characters from the US-ASCII range exclusively, in a different character encoding could reveal bits of information from the URL in a timing side channel. That is, if the encoding process needs to look at the value of a character and made a decision based on it, then that potentially reveals information about the character.
In practice, this is unlikely to be an issue, since all the UTF forms wouldn't result in exposing any information other than that the character has a Unicode code point <= 0x7f. However, if sites expose capability URLs as IRIs, then potentially bad things happen.
Encoding of entropy
base64 encoding, which is extremely common, can reveal side channel information during the process of either constructing or parsing the URL.
Comparisons
When determining that a candidate capability URL is valid or not, comparisons need to be constant time. In particular, that means that you can't fail immediately when a comparison of a character fails. Doing so allows an attacker to observe the time taken to perform the comparison and to use this information to construct a valid capability URL.