CSP 1.1: Expanding the path-matching syntax to include files.
authorMike West <mkwst@google.com>
Sat, 13 Oct 2012 09:45:46 +0200
changeset 165c29f8817f682
parent 164 7519040405d4
child 166 41086ca494c7
CSP 1.1: Expanding the path-matching syntax to include files.

After some discussion on the list[1], it seems reasonable to add file-level
granularity to the source expression matching rules. This patch is a first
stab at that, with the intent of allowing source expressions like
'example.com/js/file.js' to match specific files.

In short, paths that end in '/' will be treated as directories, matching all
files under that directory. Paths that do not end in '/' will be considered
files, matching only one specific entry.
csp-specification.dev.html
     1.1 --- a/csp-specification.dev.html	Sun Sep 30 13:35:47 2012 +0200
     1.2 +++ b/csp-specification.dev.html	Sat Oct 13 09:45:46 2012 +0200
     1.3 @@ -524,11 +524,13 @@
     1.4                    respectively. If the URI does not have a port, then let
     1.5                    <var>uri-port</var> be the default port for
     1.6                    <var>uri-scheme</var>. Let <var>uri-path</var> be
     1.7 -                  the path of the URI, after
     1.8 +                  the path of the URI and <var>uri-query</var> be the URI's
     1.9 +                  query component, after
    1.10                    <a href="http://tools.ietf.org/html/rfc3986#section-2.1">decoding
    1.11                    percent-encoded characters</a>. If the URI does not have a
    1.12                    path, then let <var>uri-path</var> be the U+002F SOLIDUS
    1.13 -                  character (<code>/</code>).</li>
    1.14 +                  character (<code>/</code>). If the URI does not have a query,
    1.15 +                  then let <var>uri-query</var> be the empty string.</li>
    1.16  
    1.17                    <li>If the source expression has a <code>scheme</code> that is
    1.18                    not a case insensitive match for <var>uri-scheme</var>, then
    1.19 @@ -571,16 +573,26 @@
    1.20                        <li>Let <var>decoded-path</var> be the result of
    1.21                        <a href="http://tools.ietf.org/html/rfc3986#section-2.1">decoding
    1.22                        <code>path</code>'s percent-encoded characters</a>.</li>
    1.23 +
    1.24                        <li>If the final character of <var>decoded-path</var> is
    1.25 -                      not the U+002F SOLIDUS character (<code>/</code>), then
    1.26 -                      append the U+002F SOLIDUS character (<code>/</code>) to
    1.27 -                      <var>decoded-path</var>.</li>
    1.28 -                      <li>If <var>decoded-path</var> is not a prefix of
    1.29 +                      the U+002F SOLIDUS character (<code>/</code>), and
    1.30 +                      <var>decoded-path</var> is not a prefix of
    1.31                        <var>uri-path</var>, then return <em>does not
    1.32                        match</em>.</li>
    1.33 +
    1.34 +                      <li>If the final character of <var>decoded-path</var> is
    1.35 +                      not the the U+002F SOLIDUS character (<code>/</code>),
    1.36 +                      and <var>decoded-path</var> is not an exact match for
    1.37 +                      <var>uri-path</var> then return <em>does not
    1.38 +                      match</em>.</li>
    1.39                      </ol>
    1.40                    </li>
    1.41  
    1.42 +                  <li>If the source expression contains a non-empty
    1.43 +                  <code>query</code>, then return <em>does not match</em>
    1.44 +                  unless <code>query</code> is an exact match for
    1.45 +                  <var>uri-query</var>.</li>
    1.46 +
    1.47                    <li>Otherwise, return <em>does match</em>.</li>
    1.48                  </ol>
    1.49                </li>
    1.50 @@ -602,6 +614,39 @@
    1.51              href="#parse-a-source-list">parsing the source list</a>. Notice that
    1.52              no URIs match an empty set of source expressions, such as the set
    1.53              obtained by parsing the source list <code>'none'</code>.</p>
    1.54 +
    1.55 +            <section class="informative">
    1.56 +              <h6>Path Matching</h6>
    1.57 +
    1.58 +              <p>The rules for matching source expressions that contain paths
    1.59 +              are simpler than they look: paths that end with the '/' character
    1.60 +              match all files in a directory and its subdirectories. Paths that
    1.61 +              do not end with the '/' character match only one specific file. A
    1.62 +              few examples should make this clear:</p>
    1.63 +              <ol>
    1.64 +                <li>The source expression <code>example.com</code> has no path,
    1.65 +                and therefore matches any file served from that host.</li>
    1.66 +
    1.67 +                <li>The source expression <code>example.com/scripts/</code>
    1.68 +                matches any file in the <code>scripts</code> directory of
    1.69 +                <code>example.com</code>, and any of its subdirectories. For
    1.70 +                example, both <code>https://example.com/scripts/file.js</code>
    1.71 +                and <code>https://example.com/scripts/js/file.js</code> would
    1.72 +                match.</li>
    1.73 +
    1.74 +                <li>The source expression
    1.75 +                <code>example.com/scripts/file.js</code> matches only the file
    1.76 +                named <code>file.js</code> in the <code>scripts</code> directory
    1.77 +                of <code>example.com</code>.</li>
    1.78 +
    1.79 +                <li>Likewise, the source expression <code>example.com/js</code>
    1.80 +                matches only the file named <code>js</code>. In particular, note
    1.81 +                that it would not match files inside a directory named
    1.82 +                <code>js</code>. Files like <code>example.com/js/file.js</code>
    1.83 +                would be matched only if the source expression ended with a
    1.84 +                trailing "/", as in <code>example.com/js/</code>.</li>
    1.85 +              </ol>
    1.86 +            </section>
    1.87            </section>
    1.88          </section>
    1.89