Say I have this header set on mywebsite.com
:
Content-Security-Policy: script-src self https://*.example.com
I know it will allow https://foo.example.com
and https://bar.example.com
, but will it allow https://example.com
alone?
Looking at the spec....
Hosts such as example.com (which matches any resource on the host, regardless of scheme) or *.example.com (which matches any resource on the host or any of its subdomains (and any of its subdomains' subdomains, and so on))
...it seems as it should allow plain https://example.com
. However, I've found several different sites (site 1, site 2, site 3, site 4) that all say that https://example.com
isn't included. Which is it?