You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As it stands, it seems that I need to explicitly add example.com and cdn.example.com as separate entries in CSP headers. Any subsequent subdomains could use *.example.com for matching, but the *. prefix doesn't match a domain with no prefix.
I'm not sure the exact fix (or if the spec is even changeable), but I'd like to see the preceeding . as implicit for bare domains, sort of like the trailing dot is part of the SOA / zone records in DNS. That would let the *.example.com match both the bare domain and any subdomains, without requiring two separate rules to implement.
*example.com would work too, but only if the implicit-dot is part of the parser. If not, evilexample.com would be a terrible security hole.
The text was updated successfully, but these errors were encountered:
As it stands, it seems that I need to explicitly add
example.com
andcdn.example.com
as separate entries in CSP headers. Any subsequent subdomains could use*.example.com
for matching, but the*.
prefix doesn't match a domain with no prefix.I'm not sure the exact fix (or if the spec is even changeable), but I'd like to see the preceeding
.
as implicit for bare domains, sort of like the trailing dot is part of the SOA / zone records in DNS. That would let the*.example.com
match both the bare domain and any subdomains, without requiring two separate rules to implement.*example.com
would work too, but only if the implicit-dot is part of the parser. If not,evilexample.com
would be a terrible security hole.The text was updated successfully, but these errors were encountered: