On Sat, Apr 8, 2017 at 3:40 AM, Braiam Peguero <braiamp@gmail.com> wrote: > I have a rule like the following: > > script-src https://*.example.com > > How should this be parsed? Should it allow only https > resources on any subdomain of example.com, like Firefox? > or disregard it, like Chromium does? > That's legal syntax, and it has the meaning you're suggesting. I'm surprised that Chromium's behavior doesn't match the spec. Spot-checking this by navigating to `data:text/html,<meta http-equiv='content-security-policy' content='img-src https://*.google.com'><img src="https://www.google.com/chrome/assets/common/images/chrome_logo_2x.png">`, it looks like Chromium's doing the right thing. Would you mind filing a bug at https://crbug.com/new with an example where it's not doing the right thing? I'll be happy to nudge it in the right direction. :) -mikeReceived on Wednesday, 12 April 2017 16:48:36 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC