W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2017

Re: Improving CORS security

From: Mike West <mkwst@google.com>
Date: Wed, 10 May 2017 13:50:25 +0200
Message-ID: <CAKXHy=e6Mcf9XcU8_DnP2=69t_+shfFimKVTOECsGP3DPc-7Mw@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: James Kettle <james.kettle@portswigger.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, May 10, 2017 at 1:01 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, May 10, 2017 at 12:57 PM, Mike West <mkwst@google.com> wrote:
> > I agree, but it's not clear to me that that would be fatal, since
> browsers
> > that support CSP already have code to deal with this kind of wildcard
> > syntax.
>
> Dare I ask whether that is fully interoperable?


Yup. 100%, probably. Maybe even 101%, because user agents wouldn't ship
things that didn't comply to the spec!

*cough*


> Last I checked this
> was defined with some ABNF which didn't inspire confidence. Also,
> would this result in http://example/ matching HTTP://EXAMPLE/ whereas
> it does not now?
>

I believe that the combination of the parsing and matching algorithms in
the CSP spec are pretty solid (but, really, getting more eyes on the
document would be better). But my point was less "Hey, let's reuse CSP!"
and more "Wildcards are a problem that's totally possible to solve if we
decide that we want to solve it."

-mike
Received on Wednesday, 10 May 2017 11:51:19 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:23 UTC