- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Sun, 9 Oct 2011 20:02:28 -0700
- To: Adam Barth <w3c@adambarth.com>
- Cc: public-web-security@w3.org, Ulfar Erlingsson <ulfar@google.com>
On 9 October 2011 13:45, Adam Barth <w3c@adambarth.com> wrote: > If the source-list for a directive is a single * , does that match all > URLs? For example, consider this CSP policy: > > img-src * > > for a page from http://example.com/foo/bar.html. Which of the > following URLs does that match? > > 1) http://www.example.org/images/logo.png > 2) https://www.example.org/images/banana.png > With the current wording of the spec, I agree that it will only allow the first and that is counter-intuitive. I think CSP should be changed so that any * without a specified scheme also matches any port. Since the * is always the left most label, I don't think think it will be too counter-intuitive to make this change: the * glob will now even eat the scheme. Thus, > img-src *.example.org will allow both images. > img-src www.example.org will allow none of the images. This sucks though. =dev > What if the directive is one of the follows: > > img-src *.example.org > img-src www.example.org > > ? > > My reading of the specification is that * is treated as a host > wildcard and that means we inherit the scheme, like we do for > non-wildcard hosts (lacking a scheme). However, that's not what you > might expect intuitively, and it isn't consistent with Example 2 in > Section 3.6. > > Thanks, > Adam > >
Received on Monday, 10 October 2011 03:03:17 UTC