I have a domain that has three different subdomains (the naming convention is sub-environment.domain.com). I want to add them to the Content Security Policy, but was wondering if I can use a wildcard like this:
sub-prod.domain.com
sub-stage.domain.com
sub-demo.domain.com
Would it be possible to specify sub-*.domain.com in my CSP to cover all three subdomains?
Check out the latest Content Security Policy Level 3 W3C Working Draft; a wildcard in a host source can only appear at the beginning of the host part:
host-source = [ scheme-part "://" ] host-part [ ":" port-part ] [ path-part ] host-part = "*" / [ "*." ] 1*host-char *( "." 1*host-char )
Therefore, you cannot use https://sub-*.domain.com as a host source. Instead, you'll have to specify all three of your subdomains in your CSP.