Re: CSP wildcard host matching

On Sun, Jun 29, 2014 at 11:42 AM, Mike West <mkwst@google.com> wrote:
> As are `xxx.example.com` and `yyy.example.com`. I'm hard-pressed to think of
> a scenario in which resources from those two origins would be acceptable,
> but resources from `example.com` wouldn't.

Maybe once we have a way to restrict cookies to be same-origin and you
wouldn't want same-origin credentialed fetches for resources that
ought to come from cdn{1-10}.example.com. Of course, having a way to
manipulate request's credentials mode just like you can manipulate
referrer soon might also address that.

It also seems counter-intuitive that the * crosses the dot.


-- 
http://annevankesteren.nl/

Received on Sunday, 29 June 2014 09:54:07 UTC