W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CSP wildcard host matching

From: Hill, Brad <bhill@paypal.com>
Date: Sun, 29 Jun 2014 21:24:07 +0000
To: Anne van Kesteren <annevk@annevk.nl>
CC: Mike West <mkwst@google.com>, Sid Stamm <sid@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <8841FC2C-C5B0-4AA2-955A-D5912BD0D199@paypal.com>
This is already "a problem" in PKIX certificates today.

The proposed change would also be different from the matching
rules for TLS in FRF2595:

http://www.ietf.org/rfc/rfc2595.txt

   - A "*" wildcard character MAY be used as the left-most name
     component in the certificate.  For example, *.example.com would
     match a.example.com, foo.example.com, etc. but would not match
     example.com.

People live with this rule, and it matches the implicit multi-level structure of the SOP elsewhere.

I question how important making this change actually is to developing policies.  In the certificate case, I think the where this issue almost always comes up is when a site hosts itself on both "www.example.com" and "example.com", in which case for CSP the 'self' token handles it adequately and should be preferred.  I think it's probably a much rarer case that a third-party site needs to include resources across that boundary in a wildcard manner.

-Brad


On Jun 29, 2014, at 2:53 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Sun, Jun 29, 2014 at 11:42 AM, Mike West <mkwst@google.com> wrote:
>> As are `xxx.example.com` and `yyy.example.com`. I'm hard-pressed to think of
>> a scenario in which resources from those two origins would be acceptable,
>> but resources from `example.com` wouldn't.
> 
> Maybe once we have a way to restrict cookies to be same-origin and you
> wouldn't want same-origin credentialed fetches for resources that
> ought to come from cdn{1-10}.example.com. Of course, having a way to
> manipulate request's credentials mode just like you can manipulate
> referrer soon might also address that.
> 
> It also seems counter-intuitive that the * crosses the dot.
> 
> 
> -- 
> http://annevankesteren.nl/
> 
Received on Sunday, 29 June 2014 21:24:35 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC