- From: Mike West <mike@mikewest.org>
- Date: Wed, 12 Apr 2017 18:47:31 +0200
- To: Braiam Peguero <braiamp@gmail.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Wednesday, 12 April 2017 16:48:36 UTC
On Sat, Apr 8, 2017 at 3:40 AM, Braiam Peguero <braiamp@gmail.com> wrote: > I have a rule like the following: > > script-src https://*.example.com > > How should this be parsed? Should it allow only https > resources on any subdomain of example.com, like Firefox? > or disregard it, like Chromium does? > That's legal syntax, and it has the meaning you're suggesting. I'm surprised that Chromium's behavior doesn't match the spec. Spot-checking this by navigating to `data:text/html,<meta http-equiv='content-security-policy' content='img-src https://*.google.com'><img src="https://www.google.com/chrome/assets/common/images/chrome_logo_2x.png">`, it looks like Chromium's doing the right thing. Would you mind filing a bug at https://crbug.com/new with an example where it's not doing the right thing? I'll be happy to nudge it in the right direction. :) -mike
Received on Wednesday, 12 April 2017 16:48:36 UTC