W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: CSP wildcard host matching

From: Mike West <mkwst@google.com>
Date: Tue, 1 Jul 2014 11:05:40 +0200
Message-ID: <CAKXHy=cMb1Hf5_28B6Ypj5ZcSL3zcVdeik7=pPYt3EdrWERfag@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Frederik Braun <fbraun@mozilla.com>, Ryan Sleevi <rsleevi@chromium.org>, WebAppSec WG <public-webappsec@w3.org>
I think bringing the PSL in here sincerely overcomplicates the way
developers have to understand the syntax.

I'm perfectly happy with trusting developers to understand that setting
`*.com` is a bad idea.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Tue, Jul 1, 2014 at 10:51 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Tue, Jul 1, 2014 at 10:46 AM, Frederik Braun <fbraun@mozilla.com>
> wrote:
> > Given that all other technologies set a barrier, I don't think CSP
> > should deviate.
> > But we (obviously) allow * to match beyond public-suffixes which I find
> > notable.
>
> Do we really want to expand the set of things PSL covers? Not a fan.
> What does that even mean here? If you have *.uk, {anything}.co.uk
> would not match?
>
>
> --
> http://annevankesteren.nl/
>
>
Received on Tuesday, 1 July 2014 09:06:26 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC