W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

[CSP] Relative/absolute hostname matching

From: Brian Smith <brian@briansmith.org>
Date: Wed, 5 Nov 2014 17:44:04 -0800
Message-ID: <CAFewVt7pg6K4BZCzmtcnx6LgWyEw_+nP-7EkrttM_Sos2C6RZw@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>

    Content-Security-Policy: script-src https://example.com.

This is illegal, because the syntax doesn't allow the trailing dot at the

Now, consider:

    Content-Security-Policy script-src https://example.com

Does this match?:

    <script src='https://example.com./a.js'>

In most (all?) parts of the browser, we could consider this a match, but
the CSP 2 draft doesn't mention this. I think it would be useful to
explicitly call these cases out in the specification, and also it would be
useful to add then to the test suite.

Received on Thursday, 6 November 2014 01:44:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:42 UTC