On 03/12/2010 04:38 PM, Nick Kralevich wrote:
> While reading through the Formal Policy Syntax of the CSP, it occurred to me
> that the meaning of "allow *" might be confusing. The wildcard seems to
> correspond to a hostname only, and not to a scheme or port.
Another great question. I've made a change to the policy syntax that I
hope will clarify things.
<source> ::= "'self'"
| "*"
| <scheme><host><port>
What this means is that * by itself implies <inherited-scheme>//*:* but
* can still be used as a wildcard for hostname, port, or both. We
didn't think it was wise to allow sites to wildcard schemes. It doesn't
seem like too much to ask sites to enumerate the schemes they want to use.
> X-Content-Security-Policy: allow 'self'; img-src *; ...
>
> will allow an image "from anywhere". However, my reading of the syntax is
> that it will only allow images from the same scheme and default port. (for
> example, an HTTP page couldn't include an image from an HTTPS source)
>
> 1) Is my reading of "allow *" correct?
With this change to the spec, the above policy would now allow images
from the same scheme, any host, and any port.
> 2) How does one specify a wildcard for any protocol?
I don't think we should allow that. Do you have a reason to believe we
should?
Thanks very much for all the detailed feedback. It's very much appreciated.
Cheers,
Brandon
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
