W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CSP wildcard host matching

From: Mike West <mkwst@google.com>
Date: Sun, 29 Jun 2014 10:49:46 +0200
Message-ID: <CAKXHy=cKkPzOZWDDtb2VMNpwdgJsU9jMpCVx=PP+hQEyGmdFDw@mail.gmail.com>
To: Sid Stamm <sid@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Moving to public-webappsec@.

On Fri, Jun 27, 2014 at 10:56 PM, Sid Stamm <sid@mozilla.com> wrote:

> Hey Mike,
> Take a look at this:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1011841#c1
> I think I interpreted the spec accordingly (*.a.com matches b.a.com but
> not a.com).
> According to the person who filed the bug Chrome matches in a way other
> than what the spec says (*.a.com matches a.com and b.a.com).
> Anyway, what do you think?

I agree that that's what the spec says, but I'm not sure it makes sense. :)
If a developer whitelists `*.example.com`, I think it's reasonable to
assume that they mean "All of the stuff on `example.com`."

Any objections from the WG to changing the spec to allow `*.example.com` to
mean `example.com` plus any and all subdomains?

Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Sunday, 29 June 2014 08:50:33 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC