On 9 October 2011 13:45, Adam Barth <w3c@adambarth.com> wrote: > If the source-list for a directive is a single * , does that match all > URLs? For example, consider this CSP policy: > > img-src * > > for a page from http://example.com/foo/bar.html. Which of the > following URLs does that match? > > 1) http://www.example.org/images/logo.png > 2) https://www.example.org/images/banana.png > With the current wording of the spec, I agree that it will only allow the first and that is counter-intuitive. I think CSP should be changed so that any * without a specified scheme also matches any port. Since the * is always the left most label, I don't think think it will be too counter-intuitive to make this change: the * glob will now even eat the scheme. Thus, > img-src *.example.org will allow both images. > img-src www.example.org will allow none of the images. This sucks though. =dev > What if the directive is one of the follows: > > img-src *.example.org > img-src www.example.org > > ? > > My reading of the specification is that * is treated as a host > wildcard and that means we inherit the scheme, like we do for > non-wildcard hosts (lacking a scheme). However, that's not what you > might expect intuitively, and it isn't consistent with Example 2 in > Section 3.6. > > Thanks, > Adam > >Received on Monday, 10 October 2011 03:03:17 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 10 October 2011 03:03:18 GMT
