Re: [CSP] Relative/absolute hostname matching

On Thu, Nov 6, 2014 at 10:37 PM, Brian Smith <brian@briansmith.org> wrote:
> It seems Gecko also treats them as separate origins. So, I guess the
> currently-specified behavior may be OK. However, note that there are
> negative consequences to this, for example HSTS bypass.
>
> Regardless of which way is considered correct, I think it would be
> useful to clarify this (e.g. with a non-normative example) because I
> can see people getting it wrong either way.
>
> Note that when it comes to certificate hostname matching, Chrome (for
> a while) and Firefox (as of recently) both treat "example.com." as
> equal to "example.com".

It would be interesting to consider if we could normalize the dot away
during URL parsing. This would make "http://example.com./" always load
"http://example.com/" and we'd basically not expose a way to get to
the former. Is that a realistic option?

If we cannot do it we should continue to treat them as distinct
origins, though perhaps not for certain things, such as HSTS and
certificates.


-- 
https://annevankesteren.nl/

Received on Friday, 7 November 2014 09:11:43 UTC