- From: Brian Smith <brian@briansmith.org>
- Date: Wed, 5 Nov 2014 17:34:14 -0800
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Thursday, 6 November 2014 01:34:41 UTC
Hi, In the current draft of CSP 2, there is this text: "Note: Query strings have no impact on matching: the source expression example.com/file?key=value matches all of https://example.com/file, https://example.com/file?key=value, https://example.com/file?key=notvalue, and https://example.com/file?notkey=notvalue." This implies that there is a case in which the UA will attempt to match a URI containing a query component with another one. However, the syntax doesn't allow the query component, so this can never happen, AFAICT. In particular, the example source expression example.com/file?key=value is invalid, right? If so, I think the example should be corrected to demonstrate valid CSP syntax instead of invalid CSP syntax. Cheers, Brian
Received on Thursday, 6 November 2014 01:34:41 UTC