[csp3] How should domains with defined wildcard and scheme be parsed? from Braiam Peguero on 2017-04-08 (public-webappsec@w3.org from April 2017)

From: Braiam Peguero <braiamp@gmail.com>
Date: Fri, 7 Apr 2017 21:40:43 -0400
To: public-webappsec@w3.org
Message-ID: <CAG=7Bt8Ov5y59=b=DGB9SUdkTzpc2MgnWW9y59E9+Z9aQErA_A@mail.gmail.com>

I have a rule like the following:

    script-src https://*.example.com

How should this be parsed? Should it allow only https
resources on any subdomain of example.com, like Firefox?
or disregard it, like Chromium does?

I rather prefer the first option as it can save some bytes of
header in case of some services.

-- 
Braiam Peguero

Received on Wednesday, 12 April 2017 15:07:06 UTC