risk - Dave's Blog


Application Content URI Rules wildcard syntax

2017 May 31, 4:48

Application Content URI Rules (ACUR from now on) defines the bounds of the web that make up the Microsoft Store application. Package content via the ms-appx URI scheme is automatically considered part of the app. But if you have content on the web via http or https you can use ACUR to declare to Windows that those URIs are also part of your application. When your app navigates to URIs on the web those URIs will be matched against the ACUR to determine if they are part of your app or not. The documentation for how matching is done on the wildcard URIs in the ACUR Rule elements is not very helpful on MSDN so here are some notes.


You can have up to 100 Rule XML elements per ApplicationContentUriRules element. Each has a Match attribute that can be up to 2084 characters long. The content of the Match attribute is parsed with CreateUri and when matching against URIs on the web additional wildcard processing is performed. I’ll call the URI from the ACUR Rule the rule URI and the URI we compare it to found during app navigation the navigation URI.

The rule URI is matched to a navigation URI by URI component: scheme, username, password, host, port, path, query, and fragment. If a component does not exist on the rule URI then it matches any value of that component in the navigation URI. For example, a rule URI with no fragment will match a navigation URI with no fragment, with an empty string fragment, or a fragment with any value in it.


Each component except the port may have up to 8 asterisks. Two asterisks in a row counts as an escape and will match 1 literal asterisk. For scheme, username, password, query and fragment the asterisk matches whatever it can within the component.


For the host, if the host consists of exactly one single asterisk then it matches anything. Otherwise an asterisk in a host only matches within its domain name label. For example, http://*.example.com will match http://a.example.com/ but not http://b.a.example.com/ or http://example.com/. And http://*/ will match http://example.com, http://a.example.com/, and http://b.a.example.com/. However the Store places restrictions on submitting apps that use the http://* rule or rules with an asterisk in the second effective domain name label. For example, http://*.com is also restricted for Store submission.


For the path, an asterisk matches within the path segment. For example, http://example.com/a/*/c will match http://example.com/a/b/c and http://example.com/a//c but not http://example.com/a/b/b/c or http://example.com/a/c

Additionally for the path, if the path ends with a slash then it matches any path that starts with that same path. For example, http://example.com/a/ will match http://example.com/a/b and http://example.com/a/b/c/d/e/, but not http://example.com/b/.

If the path doesn’t end with a slash then there is no suffix matching performed. For example, http://example.com/a will match only http://example.com/a and no URIs with a different path.

As a part of parsing the rule URI and the navigation URI, CreateUri will perform URI normalization and so the hostname and scheme will be made lower case (casing matters in all other parts of the URI and case sensitive comparisons will be performed), IDN normalization will be performed, ‘.’ and ‘..’ path segments will be resolved and other normalizations as described in the CreateUri documentation.

PermalinkCommentsapplication-content-uri-rules programming windows windows-store

Tweet from David_Risney

2015 Oct 23, 2:04
The Automation Paradox discussed http://spectrum.ieee.org/podcast/aerospace/aviation/the-benefits-of-risk/ …. Coming soon to all of our cars

CSS Fonts Module Level 3

2011 May 10, 10:49Interesting standards disagreements showing up in specs: "Some implementers feel a same-origin restriction should be the default for all new resource types while others feel strongly that an opt-in strategy usuable for all resource types would be a better mechanism and that the default should always be to allow cross-origin linking for consistency with existing resource types (e.g. script, images). As such, this section should be considered at risk for removal if the consensus is to use an alternative mechanism."PermalinkCommentsreference web development font specification w3c css3

The pi Phone Project! Call (253)243-2504

2011 Mar 14, 8:59PermalinkCommentspi phone pi-day humor asterisk

Client-side Cross-domain Security

2010 Mar 31, 7:54"Summary: Exploring cross-domain threats and use cases, security principles for cross-origin requests, and finally, weighing the risks for developers to enhance cross-domain access from web applications running in the browser."PermalinkCommentstechnical msdn microsoft security xss XMLHttpRequest web browser

Framing « Experimental Turk

2009 Dec 3, 1:54Uses Amazon's mechanical Turk program to test framing: "Framing the outcomes in positive vs. negative terms produced a reversal of participants’ preferences for the two programs. In condition 1, the majority of respondents (69.4%) favored Program A, exhibiting risk aversion. In condition 2, the majority of respondents (65.3%) favored Program B, exhibiting risk seeking."PermalinkCommentsvia:pskomoroch science experiment social risk security mechanicalturk amazon

Ceci n'est pas un Bob: The Zone of Essential Risk

2009 Jun 10, 12:17"Bruce pointed out in his return email that while the fraud pattern was a good match for escrow, the transaction size wasn't: since the item exchanged in the eBay transaction he highlighted was sold for only $500, the price of an escrow agent would have been hard to justify. He's right."PermalinkCommentsblog security economics article bruce-schneier Bob-Blakley ebay

The Baudboys: Microsoft's Finest A Cappella

2008 May 5, 11:21"The Baudboys are an all-male a cappella group composed entirely of Microsoft employees. Risking the wrath of fellow employees by rehearsing in on-campus conference rooms, The Baudboys sing a variety of popular and original music."PermalinkCommentsmusic baudboys microsoft

Homemade GPS jammers raise concerns

2008 Apr 22, 4:33Reaction to Phrack's howto on GPS jammer. Sounds like the article wants to make it into a bigger issue than it is: "Information in the article that appears in the current issue of the online hacker magazine Phrack potentially puts at risk GPS devices usePermalinkCommentsgps gps-jamming phrack government
Older Entries Creative Commons License Some rights reserved.