How to CSP header URLs with specific patterns

There are few URLs like http://aa.bb.dd.com http://aa.bb1.dd.com

I added the CSP whitelist url with the pattern like the below,

http://*.bb*.*.com

But i am getting an error

The source list for Content Security Policy directive 'script-src' contains an invalid source: 'https://*.bb*.*.com'. It will be ignored

how to add the pattern so that bb* (aa.bb1.dd.com, aa.bb2.dd.com etc..,) to be allowed?

1 answer

  • answered 2018-03-13 22:21 Barry Pollard

    You can’t.

    The spec lists hosts as the following:

    ; Hosts: "example.com" / "*.example.com" / "https://*.example.com:12/path/to/file.js"
    host-source = [ scheme-part "://" ] host-part [ port-part ] [ path-part ]
    scheme-part = scheme
                  ; scheme is defined in section 3.1 of RFC 3986.
    host-part   = "*" / [ "*." ] 1*host-char *( "." 1*host-char )
    host-char   = ALPHA / DIGIT / "-"
    port-part   = ":" ( 1*DIGIT / "*" )
    path-part   = path-abempty
                  ; path-abempty is defined in section 3.3 of RFC 3986.
    

    That is the host can be either a *, or begin with *. or not have a * in it.

    So you could have *.dd.com (but not ..dd.com).

    To be honest using wildcards as you want would open security issues and defeat the point of using CSP as I could load resources from any domain just by using a subdomain with bb in it (e.g. http://www.bb.baddomain.com).