W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [CSP] Relative/absolute hostname matching

From: Brian Smith <brian@briansmith.org>
Date: Thu, 6 Nov 2014 13:37:15 -0800
Message-ID: <CAFewVt6N=fWH9rbE0F7wOmw+gHwWAMRsa7+gHtSXXJNRGv5whA@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Mike West <mkwst@google.com> wrote:
> I think this boils down to the question of whether `https://example.com/` is
> the same origin as `https://example.com./`. It's not clear to me whether
> that's the case. Chrome, at least, has separate storage areas for the two
> hosts. I'm tempted to say that that's a good result, but I don't have a feel
> for the implications.

It seems Gecko also treats them as separate origins. So, I guess the
currently-specified behavior may be OK. However, note that there are
negative consequences to this, for example HSTS bypass [1].

Regardless of which way is considered correct, I think it would be
useful to clarify this (e.g. with a non-normative example) because I
can see people getting it wrong either way.

Note that when it comes to certificate hostname matching, Chrome (for
a while) and Firefox (as of recently) both treat "example.com." as
equal to "example.com".


[1] https://bugzilla.mozilla.org/show_bug.cgi?id=774769
Received on Thursday, 6 November 2014 21:37:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:42 UTC