the Chromium logo

The Chromium Projects

Deprecating wildcards

Wildcard base and edge cases

Through enterprise policies:

Notes:

Currently, a wildcard port is serialized as an empty port into prefs. Changing the semantics would require migration.

Pattern Expected behavior Implemented behavior Reason for implemented behavior
http://foo.com:80/ https://bar.com:443/ https://bar.com:8081/ Allowed Allowed Everything specified.
http://foo.com/ https://bar.com/ Allowed Allowed Concrete scheme, concrete host, empty path, unspecified port (implicit wildcard). Matches origins with any port.
http://www.foo.com:\* https://www.foo.com:\* Allowed Allowed Concrete scheme, concrete host, empty path, explicit wildcard port. Matches origins with any port.
www.foo.com:80 \*:www.foo.com:80 Allowed Allowed Wildcard or unspecified (=implicit wildcard) schemes are permitted
\*://www.foo.com www.foo.com:\* Allowed Allowed Unspecified/wildcarded ports and schemes are permitted.
https://www.foo.com:443/\* Allowed Allowed Path wildcards are allowed. They are meaningless, as the pattern is always matched against an origin.
https://\[\*.\]foo.com:443 \[\*.\]foo.com Disallowed Disallowed Disallowed because of subdomain wildcard in host.
https://\*:443 Disallowed Disallowed Disallowed because of a full wildcard in host.
\* \*:\* Disallowed Disallowed Scheme host port path all wildcard. Disallowed because of the host wildcard. Scheme/path/port wildcard would be fine.
https://\* https://\*:\* Disallowed Disallowed Concrete scheme, but host port path all wildcard. Disallowed because of the host wildcard.

Through extensions (format, note that port cannot be specified, but path must be specified):

Notes:

The omitted port maps to the default port (80 and 443), not the wildcard.

The port can be optionally specified, and can be specified as “\*”, which
then maps to the wildcard.

The only allowed path for http/https is “/\*”, and that maps to the empty
path, not a wildcard.
Pattern Expected behavior Implemented behavior Reason for implemented behavior
http://foo.com/\* https://bar.com/\* http://foo.com:80/\* https://foo.com:80/\* Allowed Allowed. The omitted port is assumed to be the default port, and /\* maps to the empty path.
https://foo.com:\*/\* Allowed Allowed. Concrete scheme, host, empty path, wildcard port.
\*://www.foo.com/\* Allowed Allowed Wildcard scheme is permitted.
<all_urls> Disallowed Disallowed All-wildcard.
https://\*.foo.com/\* Disallowed Disallowed Subdomain wildcard.
https://\*/\* \*://\*/\* Disallowed Disallowed Domain wildcard.
www.foo.com/\* \*.foo.com/\* Invalid Invalid (The scheme must be present)
http://foo.com/path\* www.foo.com/index.html http://www.google.com/ http://www.google.com Invalid The only allowed path for http/https is “/\*”, and that maps to the empty path, not a wildcard.
http://\*foo/bar/\* http://foo.\*.bar/baz/\* https://\[\*.\]foo.com:443/\* Invalid Invalid ('\*' in the host can only be the first character and must be followed by ‘.’, and subdomain wildcards are not supported)