Re: [CSP] Relative/absolute hostname matching

On Thu, Nov 6, 2014 at 10:37 PM, Brian Smith <> wrote:
> It seems Gecko also treats them as separate origins. So, I guess the
> currently-specified behavior may be OK. However, note that there are
> negative consequences to this, for example HSTS bypass.
> Regardless of which way is considered correct, I think it would be
> useful to clarify this (e.g. with a non-normative example) because I
> can see people getting it wrong either way.
> Note that when it comes to certificate hostname matching, Chrome (for
> a while) and Firefox (as of recently) both treat "" as
> equal to "".

It would be interesting to consider if we could normalize the dot away
during URL parsing. This would make "" always load
"" and we'd basically not expose a way to get to
the former. Is that a realistic option?

If we cannot do it we should continue to treat them as distinct
origins, though perhaps not for certain things, such as HSTS and


Received on Friday, 7 November 2014 09:11:43 UTC