Open jakub-g opened 5 years ago
Needs a careful security/privacy review. If those can be resolved, this seems like useful syntactic sugar.
There seem to be clear use cases for leading (*.example.com
) and trailing wildcards (www.example.*
). Is there a use case for wildcard somewhere in the middle?
With the current state of the art, it's possible to return TAO values like:
https://www.example.com
*
It's not possible to specify "semi-wildcard" values to allow subdomains of a given domain, like:
https://*.example.com
Was this use case ever considered? Are there any reasons to not allow it like this? (it would add a bit more complexity to the spec and implementations, but nothing unreasonable).
A scenario I'm thinking about is:
*
either for security reasons.We could argue that in the CDN scenario with static responses it's probably (most of the time) not a big deal to allow
*
origins, so maybe the example I made up is a bit artificial. But I still think that in some environments, it might be easier to convince ops people to activate the header on*.mydomain.com
than on*
-- it would require less analysis from security point of view to have it approved.