Re: CSP wildcard host matching

Moving to public-webappsec@.

On Fri, Jun 27, 2014 at 10:56 PM, Sid Stamm <> wrote:

> Hey Mike,
> Take a look at this:
> I think I interpreted the spec accordingly (* matches but
> not
> According to the person who filed the bug Chrome matches in a way other
> than what the spec says (* matches and
> Anyway, what do you think?

I agree that that's what the spec says, but I'm not sure it makes sense. :)
If a developer whitelists `*`, I think it's reasonable to
assume that they mean "All of the stuff on ``."

Any objections from the WG to changing the spec to allow `*` to
mean `` plus any and all subdomains?

Mike West <>
Google+:, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Sunday, 29 June 2014 08:50:33 UTC