Re: CSP wildcard host matching

On Sun, Jun 29, 2014 at 11:42 AM, Mike West <> wrote:
> As are `` and ``. I'm hard-pressed to think of
> a scenario in which resources from those two origins would be acceptable,
> but resources from `` wouldn't.

Maybe once we have a way to restrict cookies to be same-origin and you
wouldn't want same-origin credentialed fetches for resources that
ought to come from cdn{1-10} Of course, having a way to
manipulate request's credentials mode just like you can manipulate
referrer soon might also address that.

It also seems counter-intuitive that the * crosses the dot.


Received on Sunday, 29 June 2014 09:54:07 UTC