- From: Mike West <mkwst@google.com>
- Date: Sat, 13 Oct 2012 09:53:12 +0200
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Cc: Tanvi Vyas <tanvi@mozilla.com>, dveditz@mozilla.com, Adam Barth <w3c@adambarth.com>
- Message-ID: <CAKXHy=eb6SX64DT6xpqhRDiYkEgu9fuOvFjVR3+iKH90Zy82og@mail.gmail.com>
> On Tue, Sep 25, 2012 at 12:11 AM, Tanvi Vyas <tanvi@mozilla.com> wrote: > >> Perhaps we could distinguish between directories and filenames by >> looking for a trailing slash followed by a star, so that startup.com has >> an option to choose between newanalytics.com/js/analytics.js or >> newanalytics.com/js/*. >> > > On the one hand, I like having an explicit wildcard at the end, as it > makes it quite clear what's meant. On the other, a trailing '/' is probably > just as explicit, and doesn't get us into weird discussions about > supporting files named '*'. :) > > I'd suggest that: > * newanalytics.com/js match a file named "js" > * newanalytics.com/js/ match all files under a directory named "js", and > * newanalytics.com/js/analytics.js match the specific file "analytics.js" > under the directory named "js". > I've taken a stab at working this into the 1.1 spec, and added a non-normative section explaining the intent: https://dvcs.w3.org/hg/content-security-policy/rev/c29f8817f682 I found it a bit difficult to formulate, so I'd appreciate some feedback as to its clarity. In the meantime, I'll get started on an experimental implementation in WebKit to see if it makes as much sense as I think it does. :) One open question is how we would handle query strings. Do we want to support 'example.com/js/thisfile.js?id=2'? If so, how would we handle a request for 'example.com/js/thisfile.js?extra=param&id=2'? Is that a match? How about 'example.com/js/thisfile.js?id=2&extra=param'? -- Mike West <mkwst@google.com>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Saturday, 13 October 2012 07:54:01 UTC