W3C home > Mailing lists > Public > public-web-security@w3.org > October 2011

Re: [CSP] img-src *

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Sun, 9 Oct 2011 20:02:28 -0700
Message-ID: <CAPfop_3eCvw7wqM6YnSz9+vAq533Qn5W2F442LcDFtrzKxyr6Q@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: public-web-security@w3.org, Ulfar Erlingsson <ulfar@google.com>
On 9 October 2011 13:45, Adam Barth <w3c@adambarth.com> wrote:
> If the source-list for a directive is a single * , does that match all
> URLs?  For example, consider this CSP policy:
>
> img-src *
>
> for a page from http://example.com/foo/bar.html.  Which of the
> following URLs does that match?
>
> 1) http://www.example.org/images/logo.png
> 2) https://www.example.org/images/banana.png
>

With the current wording of the spec, I agree that it will only allow
the first and that is counter-intuitive. I think CSP should be changed
so that any * without a specified scheme also matches any port. Since
the * is always the left most label, I don't think think it will be
too counter-intuitive to make this change: the * glob will now even
eat the scheme. Thus,

> img-src *.example.org

will allow both images.

> img-src www.example.org

will allow none of the images. This sucks though.


=dev

> What if the directive is one of the follows:
>
> img-src *.example.org
> img-src www.example.org
>
> ?
>
> My reading of the specification is that * is treated as a host
> wildcard and that means we inherit the scheme, like we do for
> non-wildcard hosts (lacking a scheme).  However, that's not what you
> might expect intuitively, and it isn't consistent with Example 2 in
> Section 3.6.
>
> Thanks,
> Adam
>
>
Received on Monday, 10 October 2011 03:03:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 10 October 2011 03:03:18 GMT