Wildcards in Permissions Policy Origins

index.bs

@@ -297,8 +297,28 @@ spec: HEADER-STRUCTURE; urlPrefix: https://httpwg.org/http-extensions/draft-ietf
       then return true.</li>
       <li>Otherwise, for each <var>item</var> in the <a>allowlist</a>:
         <ol>
-          <li>If <var>item</var> is [=same origin-domain=] with
-          <var>origin</var>, then return true.</li>
+          <li>If <var>item</var> is a <a>serialized-origin</a> that's [=same origin-domain=] 
+          with <var>origin</var>, then return true.</li>
+          <li>Else if <var>item</var> is a <a>serialized-origin-with-wildcard-subdomain</a>
+          then:</li>
+          <ol>
+            <li>If <var>origin</var> does not have a host with a <a>registrable domain</a>
+            return false.<li>
+            <li>Set <var>originWithoutWildcard</var> to be <var>item</var> without the "*."
+            at the start of the host.</li>
+            <li>If <var>originWithoutWildcard</var> is [=same origin-domain=] </li> with
+            <var>origin</var>, then return false.</li>
+            <li>Set <var>originCandidate</var> to be equal to <var>origin</var> with the
+            left most domain label (and the dot after it) removed.</li>
+            <li>While <var>originCandidate</var> has a host with a <a>registrable domain</a>:</li>
+            <ol>
+              <li>If <var>originWithoutWildcard</var> is [=same origin-domain=] </li> with
+              <var>originCandidate</var>, then return true.</li>
+              <li>Set <var>originCandidate</var> to be equal to <var>originCandidate</var> with
+              the left most domain label (and the dot after it) removed.</li>
+            </ol>
+            <li>return false.</li>
+          </ol>
         </ol>
       </li>
       <li>return false.</li>
@@ -338,13 +358,16 @@ spec: HEADER-STRUCTURE; urlPrefix: https://httpwg.org/http-extensions/draft-ietf
       <dfn>serialized-policy-directive</dfn> = <a>feature-identifier</a> RWS <a>allow-list</a>
       <dfn>feature-identifier</dfn> = 1*( ALPHA / DIGIT / "-")
       <dfn>allow-list</dfn> = <a>allow-list-value</a> *(RWS <a>allow-list-value</a>)
-      <dfn>allow-list-value</dfn> = <a>serialized-origin</a> / "*" / "'self'" / "'src'" / "'none'"
+      <dfn>allow-list-value</dfn> = <a>serialized-origin</a> / <a>serialized-origin-with-wildcard-subdomain</a> / "*" / "'self'" / "'src'" / "'none'"
     </pre>
     <p><dfn><code>serialized-origin</code></dfn> is the
     <a>serialization of an origin</a>. However, the code points U+0027 ('),
     U+0021 (*), U+002C (,) and U+003B (;) MUST NOT appear in the serialization.
     If they are required, they must be percent-encoded as "`%27`", "`%2A`",
     "`%2C`" or "`%3B`", respectively.</p>
+    <p><dfn><code>serialized-origin-with-wildcard-subdomain</code></dfn> is a serialization of an
+    <a>origin</a> whose host is a domain which is the concatenation of the string "*." and a
+    domain which has a non-null <a>registrable domain</a>.</p>
     <div class="note">
       The string "<code>'self'</code>" may be used as an origin in an allowlist.
       When it is used in this way, it will refer to the origin of the document