W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2017

Re: [csp3] How should domains with defined wildcard and scheme be parsed?

From: Mike West <mike@mikewest.org>
Date: Wed, 12 Apr 2017 18:47:31 +0200
Message-ID: <CAJToGzM80Hvs=wZyTTJ01C5bUjUHSMq_yy=gp3Q+YCHc-m+STw@mail.gmail.com>
To: Braiam Peguero <braiamp@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sat, Apr 8, 2017 at 3:40 AM, Braiam Peguero <braiamp@gmail.com> wrote:

> I have a rule like the following:
>     script-src https://*.example.com
> How should this be parsed? Should it allow only https
> resources on any subdomain of example.com, like Firefox?
> or disregard it, like Chromium does?

That's legal syntax, and it has the meaning you're suggesting. I'm
surprised that Chromium's behavior doesn't match the spec.

Spot-checking this by navigating to `data:text/html,<meta
http-equiv='content-security-policy' content='img-src
it looks like Chromium's doing the right thing. Would you mind filing a bug
at https://crbug.com/new with an example where it's not doing the right
thing? I'll be happy to nudge it in the right direction. :)

Received on Wednesday, 12 April 2017 16:48:36 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:55:00 UTC