W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

[CSP] URI Query part matching

From: Brian Smith <brian@briansmith.org>
Date: Wed, 5 Nov 2014 17:34:14 -0800
Message-ID: <CAFewVt7aJjeyjy92DoObtaV7Qr32hCp+i=JvoyToTmwbQO3RAg@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi,

In the current draft of CSP 2, there is this text:

"Note: Query strings have no impact on matching: the source expression
example.com/file?key=value matches all of https://example.com/file,
https://example.com/file?key=value, https://example.com/file?key=notvalue,
and https://example.com/file?notkey=notvalue."

This implies that there is a case in which the UA will attempt to match a
URI containing a query component with another one. However, the syntax
doesn't allow the query component, so this can never happen, AFAICT. In
particular, the example source expression example.com/file?key=value is
invalid, right?

If so, I think the example should be corrected to demonstrate valid CSP
syntax instead of invalid CSP syntax.

Cheers,
Brian
Received on Thursday, 6 November 2014 01:34:41 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC