[CSP] URI Query part matching from Brian Smith on 2014-11-06 (public-webappsec@w3.org from November 2014)

From: Brian Smith <brian@briansmith.org>
Date: Wed, 5 Nov 2014 17:34:14 -0800
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAFewVt7aJjeyjy92DoObtaV7Qr32hCp+i=JvoyToTmwbQO3RAg@mail.gmail.com>

Hi,

In the current draft of CSP 2, there is this text:

"Note: Query strings have no impact on matching: the source expression
example.com/file?key=value matches all of https://example.com/file,
https://example.com/file?key=value, https://example.com/file?key=notvalue,
and https://example.com/file?notkey=notvalue."

This implies that there is a case in which the UA will attempt to match a
URI containing a query component with another one. However, the syntax
doesn't allow the query component, so this can never happen, AFAICT. In
particular, the example source expression example.com/file?key=value is
invalid, right?

If so, I think the example should be corrected to demonstrate valid CSP
syntax instead of invalid CSP syntax.

Cheers,
Brian

Received on Thursday, 6 November 2014 01:34:41 UTC