Re: CSP wildcard host matching

Given that all other technologies set a barrier, I don't think CSP
should deviate.
But we (obviously) allow * to match beyond public-suffixes which I find
notable.

On 30.06.2014 18:34, Brad Hill wrote:
> One other issue: we don't seem to prohibit wildcard matching or set a
> barrier on  public-suffixes.  This is a barrier for TLS wildcards, for
> cookies, etc.
> 
> It's not totally clear to me that this bit of extra complexity adds its
> weight in practical security, but something to consider, especially for
> cloud hosting use cases.
> 
> e.g. if I trust *.example.com <http://example.com>, should that also
> include 3rdParty.cloudhosting.example.com
> <http://3rdParty.cloudhosting.example.com>, if cloudhosting.example.com
> <http://cloudhosting.example.com> is a public-suffix?
> 
> -Brad
> 

Received on Tuesday, 1 July 2014 08:46:59 UTC