W3C home > Mailing lists > Public > public-web-security@w3.org > October 2011

[CSP] img-src *

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 9 Oct 2011 13:45:36 -0700
Message-ID: <CAJE5ia8LRQ4QKxvvPPf5G-pQShUB=T4OBLRhseqU9vwoVLOxrg@mail.gmail.com>
To: public-web-security@w3.org
Cc: Ulfar Erlingsson <ulfar@google.com>
If the source-list for a directive is a single * , does that match all
URLs?  For example, consider this CSP policy:

img-src *

for a page from http://example.com/foo/bar.html.  Which of the
following URLs does that match?

1) http://www.example.org/images/logo.png
2) https://www.example.org/images/banana.png

What if the directive is one of the follows:

img-src *.example.org
img-src www.example.org

?

My reading of the specification is that * is treated as a host
wildcard and that means we inherit the scheme, like we do for
non-wildcard hosts (lacking a scheme).  However, that's not what you
might expect intuitively, and it isn't consistent with Example 2 in
Section 3.6.

Thanks,
Adam
Received on Sunday, 9 October 2011 20:46:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 9 October 2011 20:46:48 GMT