Re: [CSP] Relative/absolute hostname matching

An excellent question! I have no idea!

I think this boils down to the question of whether ``
is the same origin as ``. It's not clear to me whether
that's the case. Chrome, at least, has separate storage areas for the two
hosts. I'm tempted to say that that's a good result, but I don't have a
feel for the implications.


Mike West <>
Google+:, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Thu, Nov 6, 2014 at 2:44 AM, Brian Smith <> wrote:

> Consider:
>     Content-Security-Policy: script-src
> This is illegal, because the syntax doesn't allow the trailing dot at the
> end.
> Now, consider:
>     Content-Security-Policy script-src
> Does this match?:
>     <script src=''>
> In most (all?) parts of the browser, we could consider this a match, but
> the CSP 2 draft doesn't mention this. I think it would be useful to
> explicitly call these cases out in the specification, and also it would be
> useful to add then to the test suite.
> Cheers,
> Brian

Received on Thursday, 6 November 2014 13:14:47 UTC