W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [CSP] Relative/absolute hostname matching

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 7 Nov 2014 10:11:16 +0100
Message-ID: <CADnb78gezAW9CY11DNxH3A=1XxVyFtjpoYJudyih5Nyg+yqTsA@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Boris Zbarsky <bzbarsky@mit.edu>, Valentin Gosu <valentin.gosu@gmail.com>
On Thu, Nov 6, 2014 at 10:37 PM, Brian Smith <brian@briansmith.org> wrote:
> It seems Gecko also treats them as separate origins. So, I guess the
> currently-specified behavior may be OK. However, note that there are
> negative consequences to this, for example HSTS bypass.
>
> Regardless of which way is considered correct, I think it would be
> useful to clarify this (e.g. with a non-normative example) because I
> can see people getting it wrong either way.
>
> Note that when it comes to certificate hostname matching, Chrome (for
> a while) and Firefox (as of recently) both treat "example.com." as
> equal to "example.com".

It would be interesting to consider if we could normalize the dot away
during URL parsing. This would make "http://example.com./" always load
"http://example.com/" and we'd basically not expose a way to get to
the former. Is that a realistic option?

If we cannot do it we should continue to treat them as distinct
origins, though perhaps not for certain things, such as HSTS and
certificates.


-- 
https://annevankesteren.nl/
Received on Friday, 7 November 2014 09:11:43 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC