W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CSP wildcard host matching

From: Mike West <mkwst@google.com>
Date: Mon, 30 Jun 2014 08:07:37 +0200
Message-ID: <CAKXHy=d_29eOkpCv7pwD=wHY+sugmKraX8+ZJk29NER3CGbx_g@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Sid Stamm <sid@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sun, Jun 29, 2014 at 11:24 PM, Hill, Brad <bhill@paypal.com> wrote:

> This is already "a problem" in PKIX certificates today.
> <snip>

I question how important making this change actually is to developing
> policies.  In the certificate case, I think the where this issue almost
> always comes up is when a site hosts itself on both "www.example.com" and
> "example.com", in which case for CSP the 'self' token handles it
> adequately and should be preferred.  I think it's probably a much rarer
> case that a third-party site needs to include resources across that
> boundary in a wildcard manner.
>

I don't think it's "important", but it's a case where Firefox and Chrome
diverge.

I continue to think it's counter-intuitive for the wildcard to exclude the
base host, but I certainly don't think it's worth arguing at length about,
nor do I think it'll have much practical impact.

I'll go change Blink, and we'll leave things as they are.

-mike


--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 30 June 2014 06:08:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC