W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2017

Re: [csp3] How should domains with defined wildcard and scheme be parsed?

From: Mike West <mike@mikewest.org>
Date: Wed, 12 Apr 2017 18:47:31 +0200
Message-ID: <CAJToGzM80Hvs=wZyTTJ01C5bUjUHSMq_yy=gp3Q+YCHc-m+STw@mail.gmail.com>
To: Braiam Peguero <braiamp@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sat, Apr 8, 2017 at 3:40 AM, Braiam Peguero <braiamp@gmail.com> wrote:

> I have a rule like the following:
>
>     script-src https://*.example.com
>
> How should this be parsed? Should it allow only https
> resources on any subdomain of example.com, like Firefox?
> or disregard it, like Chromium does?
>

That's legal syntax, and it has the meaning you're suggesting. I'm
surprised that Chromium's behavior doesn't match the spec.

Spot-checking this by navigating to `data:text/html,<meta
http-equiv='content-security-policy' content='img-src
https://*.google.com'><img
src="https://www.google.com/chrome/assets/common/images/chrome_logo_2x.png">`,
it looks like Chromium's doing the right thing. Would you mind filing a bug
at https://crbug.com/new with an example where it's not doing the right
thing? I'll be happy to nudge it in the right direction. :)

-mike
Received on Wednesday, 12 April 2017 16:48:36 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC