Re: [w3ctag/design-reviews] Wildcards in Permissions Policy Origins (Issue #765) from Ari Chivukula on 2023-03-14 (public-webapps-github@w3.org from March 2023)

From: Ari Chivukula <notifications@github.com>
Date: Tue, 14 Mar 2023 07:26:05 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/765/1468200656@github.com>

There has been a further expansion of this proposal. Specifically:

Subdomain wildcards in allowlists provided some valuable flexibility, but differed from existing wildcard parsers and required novel code and spec work. This intent will reduce that overhead by reusing parts of the existing [Content Security Policy spec](https://www.w3.org/TR/CSP/#framework-directive-source-list) and permitting ‘scheme + wildcard domain’ and ‘wildcard port’ in the allowlist.

Specifically, this intent would adopt the definition of [host-source](https://www.w3.org/TR/CSP/#grammardef-host-source) and [scheme-source](https://www.w3.org/TR/CSP/#grammardef-scheme-source) instead of [origin](https://www.w3.org/TR/permissions-policy/#allowlists) in the Allowlist definition while requiring that the [path-part](https://www.w3.org/TR/CSP/#grammardef-path-part) is empty (as Permissions Policies apply to matching origins). This would change three things from the prior wildcard implementation (all of which expand the range of allowed wildcards and none of which add new restrictions):

(1) Removing the eTLD+1 requirement for subdomain wildcards
Previously, you could not have a subdomain wildcard like “https://\*.com” but could have one like “https://\*.example.com”.
Now, you can have subdomain wildcards both like “https://\*.com” and “https://\*.example.com”.

(2) Allowing scheme restrictions on wildcard domains.
Previously, you could allow “\*” but not restrict to a specific scheme like “https://\*” or “https:”.
Now, you can still allow “\*” but have the option of delegating to just a specific scheme like “https://\*” or “https:” (the behavior of these is identical).

(3) Allowing port wildcards.
Previously you could delegate to the default https port like “https://example.com” or “https://example.com:443” (the behavior of these is identical), but there was no way to explicitly delegate to all ports like “https://example.com:\*”.
Now, you can still delegate to “https://example.com” or “https://example.com:443” but delegation is also permitted to a wildcard port like “https://example.com:\*”.

--
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/765#issuecomment-1468200656
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/765/1468200656@github.com>

Received on Tuesday, 14 March 2023 14:26:18 UTC