Re: Improving CORS security from Mike West on 2017-05-10 (public-webappsec@w3.org from May 2017)

From: Mike West <mkwst@google.com>
Date: Wed, 10 May 2017 13:50:25 +0200
To: Anne van Kesteren <annevk@annevk.nl>
Cc: James Kettle <james.kettle@portswigger.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=e6Mcf9XcU8_DnP2=69t_+shfFimKVTOECsGP3DPc-7Mw@mail.gmail.com>

On Wed, May 10, 2017 at 1:01 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, May 10, 2017 at 12:57 PM, Mike West <mkwst@google.com> wrote:
> > I agree, but it's not clear to me that that would be fatal, since
> browsers
> > that support CSP already have code to deal with this kind of wildcard
> > syntax.
>
> Dare I ask whether that is fully interoperable?

Yup. 100%, probably. Maybe even 101%, because user agents wouldn't ship
things that didn't comply to the spec!

*cough*

> Last I checked this
> was defined with some ABNF which didn't inspire confidence. Also,
> would this result in http://example/ matching HTTP://EXAMPLE/ whereas
> it does not now?
>

I believe that the combination of the parsing and matching algorithms in
the CSP spec are pretty solid (but, really, getting more eyes on the
document would be better). But my point was less "Hey, let's reuse CSP!"
and more "Wildcards are a problem that's totally possible to solve if we
decide that we want to solve it."

-mike

Received on Wednesday, 10 May 2017 11:51:19 UTC