Does a *.example.com for a content security policy header also match example.com?

javascript html security content-security-policy
12,571

That text cited from the (old) CSP spec is wrong (now fixed). The other sources cited are right.

But that https://www.w3.org/TR/CSP/#source-expression section cited, which defines what a CSP source expression is, isn’t actually stating the relevant normative requirements.

Instead the section of the CSP spec that does actually normatively define the relevant requirements is the Does url match expression in origin with redirect count algorithm, in a substep at https://www.w3.org/TR/CSP/#ref-for-grammardef-host-part-2 which reads:

  1. If the first character of expression’s host-part is an U+002A ASTERISK character (*):

  2. Let remaining be the result of removing the leading "*" from expression.

  3. If remaining (including the leading U+002E FULL STOP character (.)) is not an ASCII case-insensitive match for the rightmost characters of url’s host, then return "Does Not Match".

The including the leading U+002E FULL STOP character (.) part of the requirement indicates the remaining part after the asterisk is removed includes the leading full stop, and so the rightmost characters of url’s host must also start with a dot in order to match that.

In other words, if you start with *.example.com and walk through that part of the algorithm, you start by removing the * to get .example.com as the remaining part, and then you match the rightmost characters of url's host against that, including the leading full stop.

So https://foo.example.com matches, because the rightmost characters of its host part match .example.com, but https://example.com doesn’t match, because the rightmost characters of its host part don’t match .example.com (because it lacks the included full stop).

2017-10-13 update

A while back I reported the problem with the CSP spec and it’s now been fixed.

The relevant part of the CSP spec now reads:

Hosts such as example.com (which matches any resource on the host, regardless of scheme) or *.example.com (which matches any resource on the host’s subdomains (and any of its subdomains' subdomains, and so on))

Notice that the part which had read “matches any resource on the host or any of its subdomains” now just reads “matches any resource on the host’s subdomains”.

Share:
12,571

Related videos on Youtube

Anonymous Penguin
Author by

Anonymous Penguin

Updated on September 16, 2022

Comments

  • Anonymous Penguin
    Anonymous Penguin over 1 year

    Say I have this header set on mywebsite.com:

    Content-Security-Policy: script-src self https://*.example.com

    I know it will allow https://foo.example.com and https://bar.example.com, but will it allow https://example.com alone?

    Looking at the spec....

    Hosts such as example.com (which matches any resource on the host, regardless of scheme) or *.example.com (which matches any resource on the host or any of its subdomains (and any of its subdomains' subdomains, and so on))

    ...it seems as it should allow plain https://example.com. However, I've found several different sites (site 1, site 2, site 3, site 4) that all say that https://example.com isn't included. Which is it?

    • jww
      jww almost 7 years
      I may be a bit pedantic, but example.com is a domain, while foo.example.com and bar.example.com are hosts.
  • Anonymous Penguin
    Anonymous Penguin almost 7 years
    I should've made it clear that example.com is NOT my website. So self would allow mydomain.com, if I am understanding everything correctly. I updated my question to clarify.
  • AJD-
    AJD- almost 7 years
    Ah, alright. In that case I'd still stick with Mozilla's/w3 spec where *.example.com includes both a foreign websites' domain and subdomains.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How does Content Security Policy (CSP) work?
how can I clean and sanitize a url submitted by a user for redisplay in java?
How Mega does to save a file to harddrive without requiring permission
How to forbid framing
Prevent hidden input from being altered
Violates the following Content Security Policy directive
Simple way to hash password client side right before submitting form
Is it safe to have sandbox="allow-scripts allow-popups allow-same-origin" on <iframe />?
Sanitizing HTML input value
Check if a file exists locally using JavaScript only