search

w3c / webappsec-csp

WebAppSec Content Security Policy
https://w3c.github.io/webappsec-csp/
Other
207 stars 78 forks source link

Correctly match `*` as a `host-part`. #657

Closed mikewest closed 5 months ago

mikewest commented 5 months ago

This PR adds support for * to the host-part matching algorithm, allowing patterns like https://*:123 to correctly match any host.

Fixes w3c/webappsec-csp#656

mikewest commented 5 months ago

@evilpie, @antosart: Mind taking a look?

mikewest commented 5 months ago

Adding a test in https://chromium-review.googlesource.com/c/chromium/src/+/5471523.

evilpie commented 5 months ago

Makes sense to me. (Currently in Firefox we disallow certain schemes for *, but that is already handled in earlier steps in the spec)