[CSP] Relative/absolute hostname matching


    Content-Security-Policy: script-src https://example.com.

This is illegal, because the syntax doesn't allow the trailing dot at the

Now, consider:

    Content-Security-Policy script-src https://example.com

Does this match?:

    <script src='https://example.com./a.js'>

In most (all?) parts of the browser, we could consider this a match, but
the CSP 2 draft doesn't mention this. I think it would be useful to
explicitly call these cases out in the specification, and also it would be
useful to add then to the test suite.


Received on Thursday, 6 November 2014 01:44:31 UTC