W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [CSP] Relative/absolute hostname matching

From: Mike West <mkwst@google.com>
Date: Thu, 6 Nov 2014 14:13:56 +0100
Message-ID: <CAKXHy=c+mmJGNV=SY_FQd=OiOHSf3WzAeJaB7ghozfPynpETRQ@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
An excellent question! I have no idea!

I think this boils down to the question of whether `https://example.com/`
is the same origin as `https://example.com./`. It's not clear to me whether
that's the case. Chrome, at least, has separate storage areas for the two
hosts. I'm tempted to say that that's a good result, but I don't have a
feel for the implications.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Thu, Nov 6, 2014 at 2:44 AM, Brian Smith <brian@briansmith.org> wrote:

> Consider:
>
>     Content-Security-Policy: script-src https://example.com.
>
> This is illegal, because the syntax doesn't allow the trailing dot at the
> end.
>
> Now, consider:
>
>     Content-Security-Policy script-src https://example.com
>
> Does this match?:
>
>     <script src='https://example.com./a.js'>
>
> In most (all?) parts of the browser, we could consider this a match, but
> the CSP 2 draft doesn't mention this. I think it would be useful to
> explicitly call these cases out in the specification, and also it would be
> useful to add then to the test suite.
>
> Cheers,
> Brian
>
Received on Thursday, 6 November 2014 13:14:47 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC