[CSP] img-src * from Adam Barth on 2011-10-09 (public-web-security@w3.org from October 2011)

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 9 Oct 2011 13:45:36 -0700
To: public-web-security@w3.org
Cc: Ulfar Erlingsson <ulfar@google.com>
Message-ID: <CAJE5ia8LRQ4QKxvvPPf5G-pQShUB=T4OBLRhseqU9vwoVLOxrg@mail.gmail.com>

If the source-list for a directive is a single * , does that match all
URLs?  For example, consider this CSP policy:

img-src *

for a page from http://example.com/foo/bar.html.  Which of the
following URLs does that match?

1) http://www.example.org/images/logo.png
2) https://www.example.org/images/banana.png

What if the directive is one of the follows:

img-src *.example.org
img-src www.example.org

?

My reading of the specification is that * is treated as a host
wildcard and that means we inherit the scheme, like we do for
non-wildcard hosts (lacking a scheme).  However, that's not what you
might expect intuitively, and it isn't consistent with Example 2 in
Section 3.6.

Thanks,
Adam

Received on Sunday, 9 October 2011 20:46:47 UTC