W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CSP wildcard host matching

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sun, 29 Jun 2014 11:53:40 +0200
Message-ID: <CADnb78jPNU0Bv3Tqy7jJu7sZ0nX=MfD9jbVx5w4Z8HJEHrsUEA@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Sid Stamm <sid@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sun, Jun 29, 2014 at 11:42 AM, Mike West <mkwst@google.com> wrote:
> As are `xxx.example.com` and `yyy.example.com`. I'm hard-pressed to think of
> a scenario in which resources from those two origins would be acceptable,
> but resources from `example.com` wouldn't.

Maybe once we have a way to restrict cookies to be same-origin and you
wouldn't want same-origin credentialed fetches for resources that
ought to come from cdn{1-10}.example.com. Of course, having a way to
manipulate request's credentials mode just like you can manipulate
referrer soon might also address that.

It also seems counter-intuitive that the * crosses the dot.

Received on Sunday, 29 June 2014 09:54:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC