- From: Janusz Majnert <jmajnert@gmail.com>
- Date: Mon, 18 Mar 2013 11:47:13 +0100
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi, Thanks for the answer. Obviously I didn't quite understand that "protected resource" was the document for which the CSP policy was set, not the resource that is being requested. Regards, Janusz Majnert 2013/3/18 Mike West <mkwst@google.com>: > Hi Janusz! > > In CSP 1.1, the matching behavior for a schemeless source expression relies > on the origin of the resource being protected. See step 3.4 of section > 3.2.2.2 for detail. > > The intention is that 'script-src example.com' would match both > 'http://example.com/script.js' and 'https://example.com/script.js' when > applied to a resource itself served over HTTP. If the protected resource is > served over HTTPS, then 'script-src example.com' would match only > 'https://example.com/script.js' > > See http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0036.html > for some discussion around that decision. > > -- > Mike West <mkwst@google.com>, Developer Advocate > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 > > > On Wed, Mar 13, 2013 at 10:37 AM, Janusz Majnert <jmajnert@gmail.com> wrote: >> >> Hi, >> If I understand correctly, matching the URI: >> "http://example.com/resource1" against the source expression >> "example.com" shall return a positive match? >> >> I would also like to ask for a clarification on point 3.4 of the >> matching algorithm (http://www.w3.org/TR/CSP/#matching): >> "uri-scheme" is the scheme part of the URI (according to point 3.2), >> why should it be compared to the scheme of the URI it was derived >> from? Or is "protected resource's URI" different from the URI being >> matched? >> >> Regards, >> Janusz Majnert >> >
Received on Monday, 18 March 2013 10:47:45 UTC