W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2017

[csp3] How should domains with defined wildcard and scheme be parsed?

From: Braiam Peguero <braiamp@gmail.com>
Date: Fri, 7 Apr 2017 21:40:43 -0400
Message-ID: <CAG=7Bt8Ov5y59=b=DGB9SUdkTzpc2MgnWW9y59E9+Z9aQErA_A@mail.gmail.com>
To: public-webappsec@w3.org
I have a rule like the following:

    script-src https://*.example.com

How should this be parsed? Should it allow only https
resources on any subdomain of example.com, like Firefox?
or disregard it, like Chromium does?

I rather prefer the first option as it can save some bytes of
header in case of some services.

-- 
Braiam Peguero
Received on Wednesday, 12 April 2017 15:07:06 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC