W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2017

Re: Improving CORS security

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 10 May 2017 13:01:04 +0200
Message-ID: <CADnb78jA3M1vOHK0WZD3u3vjnAT-KSPvmszNjgVMV4BHQ7rwFg@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: James Kettle <james.kettle@portswigger.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, May 10, 2017 at 12:57 PM, Mike West <mkwst@google.com> wrote:
> I agree, but it's not clear to me that that would be fatal, since browsers
> that support CSP already have code to deal with this kind of wildcard
> syntax.

Dare I ask whether that is fully interoperable? Last I checked this
was defined with some ABNF which didn't inspire confidence. Also,
would this result in http://example/ matching HTTP://EXAMPLE/ whereas
it does not now?

Received on Wednesday, 10 May 2017 11:01:34 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:55:01 UTC