[Webkit-unassigned] [Bug 146723] New: webkit handles CSP rules without protocol incorrectly

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=146723

            Bug ID: 146723
           Summary: webkit handles CSP rules without protocol incorrectly
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ksajxai at gmail.com

Created attachment 256373
  --> https://bugs.webkit.org/attachment.cgi?id=256373&action=review
example of safari incorrectly blocking script loading

Webkit blocks loading resources if there is no protocol in CSP rule.
For example. it will block loading https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js with the rule *.googleapis.com, but will allow with http://*.googleapis.com
This applies to any domain and both http and https.
So, all browsers work correctly with 'script-src': "'self' 'unsafe-inline' 'unsafe-eval' *.googleapis.com:*", but for webkit safari I have to add https://*.googleapis.com, or they will generate me lots of csp reports, which do not actually violate anything.

This link http://content-security-policy.com/ says, that *.domain.domain should apply to both http and https and any subdomain.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150708/4bc7a1e5/attachment.html>