Is the * .example.com file suitable for the example.com content security policy header?

Question

Is the * .example.com file suitable for the example.com content security policy header?

Let's say that this header is set to mywebsite.com:

Content-Security-Policy: script-src self https://*.example.com

I know that this will allow https://foo.example.comand https://bar.example.com, but will it only allow https://example.com?

See the specification ....

Hosts such as example.com (which corresponds to any resource on the host, regardless of the scheme) or * .example.com ( which corresponds to any resource on the host or in any of its subdomains (and any subdomains of its subdomains, etc. )))

... it seems that this should allow easy https://example.com. However, I found several different sites ( site 1 , site 2 , site 3 , site 4 ) that everyone says that https://example.comit is not included. What is it?

+4

javascript html security content-security-policy

Anonymous penguin Jun 30 '17 at 15:58

source share

2 answers

Mozilla docs 'self', *.example.com CSP, .

+1

AJD- 30 . '17 16:03

sideshowbarker · Accepted Answer · 2017-07-01T05:58:16+0000

This text, given in the CSP specification, seems to be incorrect, and the other sources cited are correct.

But this https://www.w3.org/TR/CSP/#source-expression section, which defines what the original CSP expression is, does not actually indicate the relevant regulatory requirements.

CSP, , url , https://www.w3.org/TR/CSP/#ref-for-grammardef-host-part-2, :

host-part ASTERISK U + 002A (*):
"*" .
( U + 002E FULL STOP (.)) ASCII-- url s, " ".

U + 002E FULL STOP (.) , url , .

, *.example.com , *, .example.com , url , .

, https://foo.example.com , - .example.com, https://example.com , - .example.com ( ).

2017-10-13

A while CSP .

CSP :

, example.com ( , ) *.example.com ( ( ..))

, , " ", " ".

Is the * .example.com file suitable for the example.com content security policy header?

More articles: