Re: CSP 1.1: Paths in source list definitions.

On 10/15/12 7:35 AM, Mike West wrote:
> I think he means the opposite: whitelisting 'example.com/js/thisfile.js
> <http://example.com/js/thisfile.js>' would allow
> 'https://example.com/js/thisfile.js?29', etc. We'd simply ignore the
> query portion of the source expression.

Yes, I think we have to do that. While sites do return different
resources in response to different queries, in many cases the arguments
are not order sensitive or are optional. The next CSP feature request
would be some complex regular expression syntax for matching parts of
the query string -- yuck.

-Dan Veditz

Received on Tuesday, 16 October 2012 00:40:25 UTC