[CSP] URI Query part matching

Hi,

In the current draft of CSP 2, there is this text:

"Note: Query strings have no impact on matching: the source expression
example.com/file?key=value matches all of https://example.com/file,
https://example.com/file?key=value, https://example.com/file?key=notvalue,
and https://example.com/file?notkey=notvalue."

This implies that there is a case in which the UA will attempt to match a
URI containing a query component with another one. However, the syntax
doesn't allow the query component, so this can never happen, AFAICT. In
particular, the example source expression example.com/file?key=value is
invalid, right?

If so, I think the example should be corrected to demonstrate valid CSP
syntax instead of invalid CSP syntax.

Cheers,
Brian

Received on Thursday, 6 November 2014 01:34:41 UTC