W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [CSP] URI Query part matching

From: Mike West <mkwst@google.com>
Date: Thu, 6 Nov 2014 14:17:14 +0100
Message-ID: <CAKXHy=fRixM4ivnuKekxVy42yTQPPfp_MHViBJYTWOobz62W3Q@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Good eye. Fixed the typo:
https://github.com/w3c/webappsec/commit/a9b163fc39ee75fbc03c491fcd0356b01af72b05

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Thu, Nov 6, 2014 at 2:34 AM, Brian Smith <brian@briansmith.org> wrote:

> Hi,
>
> In the current draft of CSP 2, there is this text:
>
> "Note: Query strings have no impact on matching: the source expression
> example.com/file?key=value matches all of https://example.com/file,
> https://example.com/file?key=value, https://example.com/file?key=notvalue,
> and https://example.com/file?notkey=notvalue."
>
> This implies that there is a case in which the UA will attempt to match a
> URI containing a query component with another one. However, the syntax
> doesn't allow the query component, so this can never happen, AFAICT. In
> particular, the example source expression example.com/file?key=value is
> invalid, right?
>
> If so, I think the example should be corrected to demonstrate valid CSP
> syntax instead of invalid CSP syntax.
>
> Cheers,
> Brian
>
>
Received on Thursday, 6 November 2014 13:18:05 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC