- From: Mike West <mkwst@google.com>
- Date: Sun, 29 Jun 2014 11:42:19 +0200
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Sid Stamm <sid@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Sunday, 29 June 2014 09:43:06 UTC
On Sun, Jun 29, 2014 at 11:32 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Sun, Jun 29, 2014 at 10:49 AM, Mike West <mkwst@google.com> wrote: > > Any objections from the WG to changing the spec to allow `*.example.com` > to > > mean `example.com` plus any and all subdomains? > > That seems rather magical. Normally those would be distinct origins. > As are `xxx.example.com` and `yyy.example.com`. I'm hard-pressed to think of a scenario in which resources from those two origins would be acceptable, but resources from `example.com` wouldn't. If there's a need for the granularity, fine. I'm just worried that most folks making use of wildcards will end up with `img-src *.example.com example.com`. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Sunday, 29 June 2014 09:43:06 UTC