Flash Roadmap‎ > ‎

Deprecating wildcards

Wildcard base and edge cases

Through enterprise policies:

Notes:

Currently, a wildcard port is serialized as an empty port into prefs. Changing the semantics would require migration.

Pattern

Expected
behavior

Implemented behavior

Reason for implemented behavior

http://foo.com:80/
https://bar.com:443/
https://bar.com:8081/

Allowed

Allowed

Everything specified.

http://foo.com/
https://bar.com/

Allowed

Allowed

Concrete scheme, concrete host, empty path, unspecified port (implicit wildcard). Matches origins with any port.

http://www.foo.com:*
https://www.foo.com:*

Allowed

Allowed

Concrete scheme, concrete host, empty path, explicit wildcard port. Matches origins with any port.

www.foo.com:80
*:www.foo.com:80

Allowed

Allowed

Wildcard or unspecified (=implicit wildcard) schemes are permitted

*://www.foo.com
www.foo.com:*


Allowed

Allowed

Unspecified/wildcarded ports and schemes are permitted.

https://www.foo.com:443/*

Allowed

Allowed

Path wildcards are allowed. They are meaningless, as the pattern is always matched against an origin.

https://[*.]foo.com:443
[*.]foo.com

Disallowed

Disallowed

Disallowed because of subdomain wildcard in host.

https://*:443

Disallowed

Disallowed

Disallowed because of a full wildcard in host.

*
*:*

Disallowed

Disallowed

Scheme host port path all wildcard. Disallowed because of the host wildcard. Scheme/path/port wildcard would be fine.

https://*
https://*:*

Disallowed

Disallowed

Concrete scheme, but host port path all wildcard. Disallowed because of the host wildcard.


Through extensions (format, note that port cannot be specified, but path must be specified):


Notes:

  • The omitted port maps to the default port (80 and 443), not the wildcard.

  • The port can be optionally specified, and can be specified as “*”, which then maps to the wildcard.

  • The only allowed path for http/https is “/*”, and that maps to the empty path, not a wildcard.


Pattern

Expected

behavior

Implemented behavior

Reason for implemented behavior

http://foo.com/*
https://bar.com/*

http://foo.com:80/*

https://foo.com:80/*

Allowed

Allowed.


The omitted port is assumed to be the default port, and /* maps to the empty path.

https://foo.com:*/*

Allowed

Allowed.

Concrete scheme, host, empty path, wildcard port.

*://www.foo.com/*

Allowed

Allowed

Wildcard scheme is permitted.

<all_urls>

Disallowed

Disallowed

All-wildcard.

https://*.foo.com/*

Disallowed

Disallowed

Subdomain wildcard.

https://*/*
*://*/*

Disallowed

Disallowed

Domain wildcard.

www.foo.com/*
*.foo.com/*

Invalid

Invalid (The scheme must be present)


http://foo.com/path*

www.foo.com/index.html

http://www.google.com/

http://www.google.com

Invalid

The only allowed path for http/https is “/*”, and that maps to the empty path, not a wildcard.


http://*foo/bar/*
http://foo.*.bar/baz/*
https://[*.]foo.com:443/*

Invalid

Invalid ('*' in the host can only be the first character and must be followed by ‘.’, and subdomain wildcards are not supported)



Comments