Re: CSP wildcard host matching from Frederik Braun on 2014-07-01 (public-webappsec@w3.org from July 2014)

From: Frederik Braun <fbraun@mozilla.com>
Date: Tue, 01 Jul 2014 10:46:30 +0200
To: public-webappsec@w3.org
Message-ID: <53B27566.8000308@mozilla.com>

Given that all other technologies set a barrier, I don't think CSP
should deviate.
But we (obviously) allow * to match beyond public-suffixes which I find
notable.

On 30.06.2014 18:34, Brad Hill wrote:
> One other issue: we don't seem to prohibit wildcard matching or set a
> barrier on  public-suffixes.  This is a barrier for TLS wildcards, for
> cookies, etc.
> 
> It's not totally clear to me that this bit of extra complexity adds its
> weight in practical security, but something to consider, especially for
> cloud hosting use cases.
> 
> e.g. if I trust *.example.com <http://example.com>, should that also
> include 3rdParty.cloudhosting.example.com
> <http://3rdParty.cloudhosting.example.com>, if cloudhosting.example.com
> <http://cloudhosting.example.com> is a public-suffix?
> 
> -Brad
>

Received on Tuesday, 1 July 2014 08:46:59 UTC