W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

Re: CSP - matching a URI against a source expression with no scheme

From: Mike West <mkwst@google.com>
Date: Mon, 18 Mar 2013 11:37:08 +0100
Message-ID: <CAKXHy=e0TpMS2mOZkGx4uDmPhFGBivca=usK=EfDDZ4A7rF7tA@mail.gmail.com>
To: Janusz Majnert <jmajnert@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi Janusz!

In CSP 1.1, the matching behavior for a schemeless source expression relies
on the origin of the resource being protected. See step 3.4 of section
3.2.2.2 for detail.

The intention is that 'script-src example.com' would match both '
http://example.com/script.js' and 'https://example.com/script.js' when
applied to a resource itself served over HTTP. If the protected resource is
served over HTTPS, then 'script-src example.com' would match only '
https://example.com/script.js'

See http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0036.htmlfor
some discussion around that decision.

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91


On Wed, Mar 13, 2013 at 10:37 AM, Janusz Majnert <jmajnert@gmail.com> wrote:

> Hi,
> If I understand correctly, matching the URI:
> "http://example.com/resource1" against the source expression
> "example.com" shall return a positive match?
>
> I would also like to ask for a clarification on point 3.4 of the
> matching algorithm (http://www.w3.org/TR/CSP/#matching):
> "uri-scheme" is the scheme part of the URI (according to point 3.2),
> why should it be compared to the scheme of the URI it was derived
> from? Or is "protected resource's URI" different from the URI being
> matched?
>
> Regards,
> Janusz Majnert
>
>
Received on Monday, 18 March 2013 10:38:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:00 UTC