118
edits
Security/CSP/BaseModule: Difference between revisions
→Semantics
No edit summary |
|||
| Line 23: | Line 23: | ||
yyy | yyy | ||
== origin-list == | |||
The origin-list production defines a set of URLs, which the directive can use for some purpose. The origin-list denotes the union of all URLs denoted by the listed origin-descriptors. The three constant origin-descriptors, self, none, and *, denote the following sets of URLs: | |||
*"self" denotes the set of URLs that share the same scheme and (fully qualified) host name as the current web page. | |||
*"none" denotes the empty set of URLs. | |||
*"*" denotes the set of all URLs. | |||
Instead of a constant, the an origin-descriptor can contain a non-constant origin-descriptor such as the following: | |||
<pre>example.com | |||
*.example.org | |||
https://example.net | |||
http://*.foo.example.com</pre> | |||
If the descriptor lacks a scheme, then the scheme defaults to the same scheme as the current web page. If the descriptor contains a *, then the star matches zero or more subdomains. For example, *.example.org matches example.org, foo.example.org and bar.foo.example.org. The origin-descriptor, then, denotes the set of all URLs with schemes and (fully qualified) host names that match the descriptor. Notice that in all cases the origin-list ignores port numbers for simplicity. | |||
A resource load is said to ''respect an origin-list'' if the initial request, and all subsequent redirects, are for URLs contained in the set of URLs denoted by the origin-list. | |||