W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

[CSP] Relative/absolute hostname matching

From: Brian Smith <brian@briansmith.org>
Date: Wed, 5 Nov 2014 17:44:04 -0800
Message-ID: <CAFewVt7pg6K4BZCzmtcnx6LgWyEw_+nP-7EkrttM_Sos2C6RZw@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Consider:

    Content-Security-Policy: script-src https://example.com.

This is illegal, because the syntax doesn't allow the trailing dot at the
end.

Now, consider:

    Content-Security-Policy script-src https://example.com

Does this match?:

    <script src='https://example.com./a.js'>

In most (all?) parts of the browser, we could consider this a match, but
the CSP 2 draft doesn't mention this. I think it would be useful to
explicitly call these cases out in the specification, and also it would be
useful to add then to the test suite.

Cheers,
Brian
Received on Thursday, 6 November 2014 01:44:31 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC