- From: Dan Veditz <dveditz@mozilla.com>
- Date: Mon, 15 Oct 2012 17:39:57 -0700
- To: Mike West <mkwst@google.com>
- CC: Odin Hørthe Omdal <odinho@opera.com>, Adam Barth <w3c@adambarth.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Tanvi Vyas <tanvi@mozilla.com>
On 10/15/12 7:35 AM, Mike West wrote: > I think he means the opposite: whitelisting 'example.com/js/thisfile.js > <http://example.com/js/thisfile.js>' would allow > 'https://example.com/js/thisfile.js?29', etc. We'd simply ignore the > query portion of the source expression. Yes, I think we have to do that. While sites do return different resources in response to different queries, in many cases the arguments are not order sensitive or are optional. The next CSP feature request would be some complex regular expression syntax for matching parts of the query string -- yuck. -Dan Veditz
Received on Tuesday, 16 October 2012 00:40:25 UTC