You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As it stands, it seems that I need to explicitly add example.com and cdn.example.com as separate entries in CSP headers. Any subsequent subdomains could use *.example.com for matching, but the *. prefix doesn't match a domain with no prefix.
I'm not sure the exact fix (or if the spec is even changeable), but I'd like to see the preceeding . as implicit for bare domains, sort of like the trailing dot is part of the SOA / zone records in DNS. That would let the *.example.com match both the bare domain and any subdomains, without requiring two separate rules to implement.
*example.com would work too, but only if the implicit-dot is part of the parser. If not, evilexample.com would be a terrible security hole.
The text was updated successfully, but these errors were encountered:
As it stands, it seems that I need to explicitly add
example.comandcdn.example.comas separate entries in CSP headers. Any subsequent subdomains could use*.example.comfor matching, but the*.prefix doesn't match a domain with no prefix.I'm not sure the exact fix (or if the spec is even changeable), but I'd like to see the preceeding
.as implicit for bare domains, sort of like the trailing dot is part of the SOA / zone records in DNS. That would let the*.example.commatch both the bare domain and any subdomains, without requiring two separate rules to implement.*example.comwould work too, but only if the implicit-dot is part of the parser. If not,evilexample.comwould be a terrible security hole.The text was updated successfully, but these errors were encountered: