From reading the CSP Standard specification and examples it seems that it does not support wildcards in the path portion of a given URL. This seems like an oversight, as many CDNs and static file hosting providers share the root domain names between their users and only differentiate access on URL paths rather than the entire domain.
For example, when using S3 or Google Cloud Storage as a CDN, you might want a CSP to allow scripts/assets to be loaded from just your bucket with a wildcard URL like "https://storage.googleapis.com/my-apps-bucket/*" but disallow them for the rest of https://storage.googleapis.com, as it would be rather trivial for a malicious actor to create their own account and serve content from that root domain.
This seems like a pretty common use case, am I misunderstanding the spec? If not, what is the syntax to use wildcard paths, as utilizing a header like Content-Security-Policy: script-src 'self' https://example.com/*
does not seem to work.
The special character * (ASTERISK) in the rules of the Content Security Policy directives can be used as a wildcard to indicate: 1. the entire source, allow to load resources from any network host-sources, with any protocols and port numbers.
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.
Content Security Policy (CSP) adds a layer of security which helps to detect and mitigate certain types of attacks such as Cross-Site Scripting (XSS) and data injection attacks. So hackers use XSS attacks to trick trusted websites into delivering malicious content.
The main purpose of CSP is to mitigate and detect XSS attacks. XSS attacks exploit the browser's trust in the content received from the server. The victim's browser is exposed to execution of malicious scripts, because the browser trusts the source of the content.
The "matching source expressions" part of the spec (http://www.w3.org/TR/CSP/#match-source-expression) describes the URL matching algorithm in detail. It does support what you're asking for, but you don't use the wildcard character.
The spec discusses the optional "path-part" of the allowed sources, and says if the allowed URL ends in a slash "/", it is a prefix match rather than an exact match.
So, in your example, if you allow
https://storage.googleapis.com/my-apps-bucket/
with a slash but without the asterisk on the end, it will match files below that URL, for example
https://storage.googleapis.com/my-apps-bucket/file1.js
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With