[csp3] How should domains with defined wildcard and scheme be parsed?

# Braiam Peguero (a month ago)

I have a rule like the following:

script-src [https://*.example.com](https://*.example.com)

How should this be parsed? Should it allow only https resources on any subdomain of example.com, like Firefox? or disregard it, like Chromium does?

I rather prefer the first option as it can save some bytes of header in case of some services.

Contact us to advertise here
# Mike West (a month ago)

On Sat, Apr 8, 2017 at 3:40 AM, Braiam Peguero braiamp@gmail.com wrote:

I have a rule like the following:

script-src [https://*.example.com](https://*.example.com)

How should this be parsed? Should it allow only https resources on any subdomain of example.com, like Firefox? or disregard it, like Chromium does?

That's legal syntax, and it has the meaning you're suggesting. I'm surprised that Chromium's behavior doesn't match the spec.

Spot-checking this by navigating to `data:text/html,<meta http-equiv='content-security-policy' content='img-src [https://*.google.com](https://*.google.com)'><img

src="www.google.com/chrome/assets/common/images/chrome_logo_2x.png">`,

it looks like Chromium's doing the right thing. Would you mind filing a bug at crbug.com/new with an example where it's not doing the right thing? I'll be happy to nudge it in the right direction. :)

Want more features?

Request early access to our private beta of readable email premium.