Domain restrictions semantics
ameshkov opened this issue · comments
Andrey Meshkov commented
If the following conditions are true:
- pattern === ANY_URL
- domain resriction is not empty
- resource type ===(SUB)DOCUMENT
Then use the host of the request URL to check domain restrictions.
Test rules:
$csp=script-src 'none',domain=example.org
$cookie=test,domain=example.org
Andrey Meshkov commented
Currently, we have a workaround for rules with empty pattern and a domain restriction (i.e. $cookie,domain=yandex.ru
). We won't need it anymore if we implement this change.