On Sun, Jun 29, 2014 at 11:24 PM, Hill, Brad <bhill@paypal.com> wrote: > This is already "a problem" in PKIX certificates today. > <snip> I question how important making this change actually is to developing > policies. In the certificate case, I think the where this issue almost > always comes up is when a site hosts itself on both "www.example.com" and > "example.com", in which case for CSP the 'self' token handles it > adequately and should be preferred. I think it's probably a much rarer > case that a third-party site needs to include resources across that > boundary in a wildcard manner. > I don't think it's "important", but it's a case where Firefox and Chrome diverge. I continue to think it's counter-intuitive for the wildcard to exclude the base host, but I certainly don't think it's worth arguing at length about, nor do I think it'll have much practical impact. I'll go change Blink, and we'll leave things as they are. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 30 June 2014 06:08:24 UTC