content-security-policywildcard-subdomain

Can I use a wildcard like https://sub-*.domain.com in my CSP?


I have a domain that has three different subdomains (the naming convention is sub-environment.domain.com). I want to add them to the Content Security Policy, but was wondering if I can use a wildcard like this:

sub-prod.domain.com
sub-stage.domain.com
sub-demo.domain.com

Would it be possible to specify sub-*.domain.com in my CSP to cover all three subdomains?


Solution

  • Check out the latest Content Security Policy Level 3 W3C Working Draft; a wildcard in a host source can only appear at the beginning of the host part:

    host-source = [ scheme-part "://" ] host-part [ ":" port-part ] [ path-part ]
    host-part   = "*" / [ "*." ] 1*host-char *( "." 1*host-char )
    

    Therefore, you cannot use https://sub-*.domain.com as a host source. Instead, you'll have to specify all three of your subdomains in your CSP.