- From: Mike West <mkwst@google.com>
- Date: Mon, 18 Mar 2013 11:37:08 +0100
- To: Janusz Majnert <jmajnert@gmail.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=e0TpMS2mOZkGx4uDmPhFGBivca=usK=EfDDZ4A7rF7tA@mail.gmail.com>
Hi Janusz! In CSP 1.1, the matching behavior for a schemeless source expression relies on the origin of the resource being protected. See step 3.4 of section 3.2.2.2 for detail. The intention is that 'script-src example.com' would match both ' http://example.com/script.js' and 'https://example.com/script.js' when applied to a resource itself served over HTTP. If the protected resource is served over HTTPS, then 'script-src example.com' would match only ' https://example.com/script.js' See http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0036.htmlfor some discussion around that decision. -- Mike West <mkwst@google.com>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 On Wed, Mar 13, 2013 at 10:37 AM, Janusz Majnert <jmajnert@gmail.com> wrote: > Hi, > If I understand correctly, matching the URI: > "http://example.com/resource1" against the source expression > "example.com" shall return a positive match? > > I would also like to ask for a clarification on point 3.4 of the > matching algorithm (http://www.w3.org/TR/CSP/#matching): > "uri-scheme" is the scheme part of the URI (according to point 3.2), > why should it be compared to the scheme of the URI it was derived > from? Or is "protected resource's URI" different from the URI being > matched? > > Regards, > Janusz Majnert > >
Received on Monday, 18 March 2013 10:38:02 UTC