W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CSP wildcard host matching

From: Mike West <mkwst@google.com>
Date: Sun, 29 Jun 2014 11:42:19 +0200
Message-ID: <CAKXHy=da=N-PrUD6D3Cb9x4eMA2QYhZZ02Ar-h5NSm_=1c3E7A@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Sid Stamm <sid@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sun, Jun 29, 2014 at 11:32 AM, Anne van Kesteren <annevk@annevk.nl>
wrote:

> On Sun, Jun 29, 2014 at 10:49 AM, Mike West <mkwst@google.com> wrote:
> > Any objections from the WG to changing the spec to allow `*.example.com`
> to
> > mean `example.com` plus any and all subdomains?
>
> That seems rather magical. Normally those would be distinct origins.
>

As are `xxx.example.com` and `yyy.example.com`. I'm hard-pressed to think
of a scenario in which resources from those two origins would be
acceptable, but resources from `example.com` wouldn't.

If there's a need for the granularity, fine. I'm just worried that most
folks making use of wildcards will end up with `img-src *.example.com
example.com`.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Sunday, 29 June 2014 09:43:06 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC