Re: Improving CORS security from Anne van Kesteren on 2017-05-10 (public-webappsec@w3.org from May 2017)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 10 May 2017 13:01:04 +0200
To: Mike West <mkwst@google.com>
Cc: James Kettle <james.kettle@portswigger.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CADnb78jA3M1vOHK0WZD3u3vjnAT-KSPvmszNjgVMV4BHQ7rwFg@mail.gmail.com>

On Wed, May 10, 2017 at 12:57 PM, Mike West <mkwst@google.com> wrote:
> I agree, but it's not clear to me that that would be fatal, since browsers
> that support CSP already have code to deal with this kind of wildcard
> syntax.

Dare I ask whether that is fully interoperable? Last I checked this
was defined with some ABNF which didn't inspire confidence. Also,
would this result in http://example/ matching HTTP://EXAMPLE/ whereas
it does not now?

-- 
https://annevankesteren.nl/

Received on Wednesday, 10 May 2017 11:01:34 UTC