Deprecating wildcards
Wildcard base and edge cases
Through enterprise policies:
Notes:
Currently, a wildcard port is serialized as an empty port into prefs. Changing the semantics would require migration.
Pattern | Expected | behavior | Implemented behavior | Reason for implemented behavior | |
http://foo.com:80/ | https://bar.com:443/ | https://bar.com:8081/ | Allowed | Allowed | Everything specified. |
http://foo.com/ | https://bar.com/ | Allowed | Allowed | Concrete scheme, concrete host, empty path, unspecified port (implicit wildcard). Matches origins with any port. | |
http://www.foo.com:\* | https://www.foo.com:\* | Allowed | Allowed | Concrete scheme, concrete host, empty path, explicit wildcard port. Matches origins with any port. | |
www.foo.com:80 | \*:www.foo.com:80 | Allowed | Allowed | Wildcard or unspecified (=implicit wildcard) schemes are permitted | |
\*://www.foo.com | www.foo.com:\* | Allowed | Allowed | Unspecified/wildcarded ports and schemes are permitted. | |
https://www.foo.com:443/\* | Allowed | Allowed | Path wildcards are allowed. They are meaningless, as the pattern is always matched against an origin. | ||
https://\[\*.\]foo.com:443 | \[\*.\]foo.com | Disallowed | Disallowed | Disallowed because of subdomain wildcard in host. | |
https://\*:443 | Disallowed | Disallowed | Disallowed because of a full wildcard in host. | ||
\* | \*:\* | Disallowed | Disallowed | Scheme host port path all wildcard. Disallowed because of the host wildcard. Scheme/path/port wildcard would be fine. | |
https://\* | https://\*:\* | Disallowed | Disallowed | Concrete scheme, but host port path all wildcard. Disallowed because of the host wildcard. |
Through extensions (format, note that port cannot be specified, but path must be specified):
Notes:
The omitted port maps to the default port (80 and 443), not the wildcard.
The port can be optionally specified, and can be specified as “\*”, which
then maps to the wildcard.
The only allowed path for http/https is “/\*”, and that maps to the empty
path, not a wildcard.
Pattern | Expected | behavior | Implemented behavior | Reason for implemented behavior | ||
http://foo.com/\* | https://bar.com/\* | http://foo.com:80/\* | https://foo.com:80/\* | Allowed | Allowed. | The omitted port is assumed to be the default port, and /\* maps to the empty path. |
https://foo.com:\*/\* | Allowed | Allowed. | Concrete scheme, host, empty path, wildcard port. | |||
\*://www.foo.com/\* | Allowed | Allowed | Wildcard scheme is permitted. | |||
<all_urls> | Disallowed | Disallowed | All-wildcard. | |||
https://\*.foo.com/\* | Disallowed | Disallowed | Subdomain wildcard. | |||
https://\*/\* | \*://\*/\* | Disallowed | Disallowed | Domain wildcard. | ||
www.foo.com/\* | \*.foo.com/\* | Invalid | Invalid (The scheme must be present) | |||
http://foo.com/path\* | www.foo.com/index.html | http://www.google.com/ | http://www.google.com | Invalid | The only allowed path for http/https is “/\*”, and that maps to the empty path, not a wildcard. | |
http://\*foo/bar/\* | http://foo.\*.bar/baz/\* | https://\[\*.\]foo.com:443/\* | Invalid | Invalid ('\*' in the host can only be the first character and must be followed by ‘.’, and subdomain wildcards are not supported) |