- From: Mike West <mkwst@google.com>
- Date: Thu, 6 Nov 2014 14:13:56 +0100
- To: Brian Smith <brian@briansmith.org>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=c+mmJGNV=SY_FQd=OiOHSf3WzAeJaB7ghozfPynpETRQ@mail.gmail.com>
An excellent question! I have no idea! I think this boils down to the question of whether `https://example.com/` is the same origin as `https://example.com./`. It's not clear to me whether that's the case. Chrome, at least, has separate storage areas for the two hosts. I'm tempted to say that that's a good result, but I don't have a feel for the implications. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Thu, Nov 6, 2014 at 2:44 AM, Brian Smith <brian@briansmith.org> wrote: > Consider: > > Content-Security-Policy: script-src https://example.com. > > This is illegal, because the syntax doesn't allow the trailing dot at the > end. > > Now, consider: > > Content-Security-Policy script-src https://example.com > > Does this match?: > > <script src='https://example.com./a.js'> > > In most (all?) parts of the browser, we could consider this a match, but > the CSP 2 draft doesn't mention this. I think it would be useful to > explicitly call these cases out in the specification, and also it would be > useful to add then to the test suite. > > Cheers, > Brian >
Received on Thursday, 6 November 2014 13:14:47 UTC