- From: Brian Smith <brian@briansmith.org>
- Date: Wed, 5 Nov 2014 17:44:04 -0800
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Thursday, 6 November 2014 01:44:31 UTC
Consider:
Content-Security-Policy: script-src https://example.com.
This is illegal, because the syntax doesn't allow the trailing dot at the
end.
Now, consider:
Content-Security-Policy script-src https://example.com
Does this match?:
<script src='https://example.com./a.js'>
In most (all?) parts of the browser, we could consider this a match, but
the CSP 2 draft doesn't mention this. I think it would be useful to
explicitly call these cases out in the specification, and also it would be
useful to add then to the test suite.
Cheers,
Brian
Received on Thursday, 6 November 2014 01:44:31 UTC