Re: CSP 1.1: Paths in source list definitions.

On Sat, Oct 13, 2012 at 12:53 AM, Mike West <> wrote:
>> On Tue, Sep 25, 2012 at 12:11 AM, Tanvi Vyas <> wrote:
>>> Perhaps we could distinguish between directories and filenames by looking
>>> for a trailing slash followed by a star, so that has an option
>>> to choose between or*.
>> On the one hand, I like having an explicit wildcard at the end, as it
>> makes it quite clear what's meant. On the other, a trailing '/' is probably
>> just as explicit, and doesn't get us into weird discussions about supporting
>> files named '*'. :)
>> I'd suggest that:
>> * match a file named "js"
>> * match all files under a directory named "js", and
>> * match the specific file "analytics.js"
>> under the directory named "js".
> I've taken a stab at working this into the 1.1 spec, and added a
> non-normative section explaining the intent:
> I found it a bit difficult to formulate, so I'd appreciate some feedback as
> to its clarity. In the meantime, I'll get started on an experimental
> implementation in WebKit to see if it makes as much sense as I think it
> does. :)
> One open question is how we would handle query strings. Do we want to
> support ''? If so, how would we handle a
> request for ''? Is that a match?
> How about ''?

IMHO, we shouldn't support query strings.  This feature is most useful
for restricting to a known-safe directory.


Received on Saturday, 13 October 2012 07:57:35 UTC