secure_headers icon indicating copy to clipboard operation
secure_headers copied to clipboard
verified publisher icon github

normalize domains with trailing slashes

Open keithamus opened this issue 3 years ago • 1 comments

All PRs:

  • [x] Has tests
  • [ ] Documentation updated - N/A

Adding a new header

Generally, adding a new header is always OK.

  • Is the header supported by any user agent? If so, which?
  • What does it do?
  • What are the valid values for the header?
  • Where does the specification live?

Adding a new CSP directive

  • Is the directive supported by any user agent? If so, which?
  • What does it do?
  • What are the valid values for the directive?

This PR normalises CSP source expressions to exclude trailing slashes from the Domain if there is no other information in the path.

CSP3 more explicitly calls this out in the path match algorithm:

If path A consists of one character that is equal to the U+002F SOLIDUS character (/) and path B is empty, return "Matches".

Also a URL like example.com/foo will match a source expression of example.com, as well as example.com/, so having two source expressions listed like this is redundant.

keithamus avatar Mar 30 '22 17:03 keithamus

@keithamus @vcsjones anything I can do to help get this PR ready to ship?

srt32 avatar Jul 18 '22 13:07 srt32