内容安全策略标头的* .example.com是否也与example.com匹配? [英] Does a *.example.com for a content security policy header also match example.com?
问题描述
假设我在 mywebsite.com 上设置了此标题:
Content-Security-Policy:script-src self https://*.example.com
I知道它会允许 https://foo.example.com 和 https://bar.example.com ,但它会允许 https://example.com 单独吗?
看看 the spec ....
主机(如example.com)(匹配主机上的任何资源,无论采用何种方案)或* .example.com(,匹配主机或中任何资源的任何子域(及其任何子域名的子域名等))
...好像应该允许普通 https://example.com 。不过,我发现了几个不同的网站(网站1 , site 2 , site 3 , site 4 ) all 表示 https://example.com不包括。这是什么? / p>
但 https:/所引用的/www.w3.org/TR/CSP/#source-expression 部分,它定义了什么是CSP源表达式,实际上并没有说明相关的规范要求。 p>
相反,实际上确实规范地定义相关要求的CSP规范部分是 url中的表达式匹配重定向计数算法 ,子步骤 https://www.w3.org/TR/CSP/#ref-for -grammardef-host-part-2 的内容如下:
如果 expression 的主机部分的第一个字符是U + 002A ASTERISK字符(
*):
$ b 剩下的是从表达式中删除前导*。
- 如果剩余(包括前导U + 002E FULL STOP字符(
。))不是与url的主机最右边的
字符匹配的ASCII区分大小写,然后返回不匹配 。
前面的U + 002E FULL STOP字符(。)部分表示星号被移除后的剩余部分包括领先的句号,所以 url 的主持人最右边的字符也必须以点开头以匹配。
$ b $换句话说,如果你从
*。example.com 开始,然后遍历该算法的那部分hm,首先删除 * 以获取 .example.com 作为剩余的 部分,然后你匹配 url 的主机最右边的字符,包括前导句句。
因此, https://foo.example.com 匹配,因为其主机部分的最右侧字符匹配 .example.com ,但 https://example.com 不匹配,因为其主机部分的最右侧字符不匹配 .example。 $ b -13更新
后退我用CSP规范报告了问题,它是现在已被修复。
CSP规范的相关部分现在显示为:
主机,例如 example.com (它可以匹配主机上的任何资源,而不考虑方案)或 *。example.com (它匹配主机子域上的任何资源(及其任何子域的子域,等等))
请注意,读取的部分与主机或其任何子域上的任何资源匹配现在只读匹配主机子域上的任何资源。
Say I have this header set on mywebsite.com:
Content-Security-Policy: script-src self https://*.example.com
I know it will allow https://foo.example.com and https://bar.example.com, but will it allow https://example.com alone?
Looking at the spec....
Hosts such as example.com (which matches any resource on the host, regardless of scheme) or *.example.com (which matches any resource on the host or any of its subdomains (and any of its subdomains' subdomains, and so on))
...it seems as it should allow plain https://example.com. However, I've found several different sites (site 1, site 2, site 3, site 4) that all say that https://example.com isn't included. Which is it?
解决方案 That text cited from the CSP spec appears to be wrong, and the other sources cited are right.
But that https://www.w3.org/TR/CSP/#source-expression section cited, which defines what a CSP source expression is, isn’t actually stating the relevant normative requirements.
Instead the section of the CSP spec that does actually normatively define the relevant requirements is the Does url match expression in origin with redirect count algorithm, in a substep at https://www.w3.org/TR/CSP/#ref-for-grammardef-host-part-2 which reads:
If the first character of expression’s host-part is an U+002A ASTERISK character (*):
- Let remaining be the result of removing the leading "
*" from expression.
- If remaining (including the leading U+002E FULL STOP character (
.)) is not an ASCII case-insensitive match for the rightmost
characters of url’s host, then return "Does Not Match".
The including the leading U+002E FULL STOP character (.) part of the requirement indicates the remaining part after the asterisk is removed includes the leading full stop, and so the rightmost characters of url’s host must also start with a dot in order to match that.
In other words, if you start with *.example.com and walk through that part of the algorithm, you start by removing the * to get .example.com as the remaining part, and then you match the rightmost characters of url's host against that, including the leading full stop.
So https://foo.example.com matches, because the rightmost characters of its host part match .example.com, but https://example.com doesn’t match, because the rightmost characters of its host part don’t match .example.com (because it lacks the included full stop).
2017-10-13 update
A while back I reported the problem with the CSP spec and it’s now been fixed.
The relevant part of the CSP spec now reads:
Hosts such as example.com (which matches any resource on the host, regardless of scheme) or *.example.com (which matches any resource on the host’s subdomains (and any of its subdomains' subdomains, and so on))
Notice that the part which had read "matches any resource on the host or any of its subdomains" now just reads "matches any resource on the host’s subdomains".
这篇关于内容安全策略标头的* .example.com是否也与example.com匹配?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
