[Webkit-unassigned] [Bug 160656] CSP Wildcard support

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Aug 9 11:45:48 PDT 2016


https://bugs.webkit.org/show_bug.cgi?id=160656

--- Comment #2 from Craig Francis <craig+webkit at craigfrancis.co.uk> ---
Hi Daniel,

I see what you mean in regards to WebKit being more restrictive than CSP2, which allows * to match an arbitrary scheme except those in {data:, blob:, and filesystem:}.

Although I think Chrome is about to one up you (with the exception of ws/wss):

https://twitter.com/sshekyan/status/762873765143322624

"https://codereview.chromium.org/2209113002/ lands a breaking change in CSP: "*" only matches http/https/ws/wss, any other schemes have to be whitelisted."

I must admit I didn't test Firefox, but I would hope we can keep CSP as strict as possible (something Chrome seems to be ok with), but realise that backwards compatibility might have to take priority.

I should also thank you for continuing to improve the CSP implementation, it's good to see.

And please ignore my comment about Issue 153090... I wasn't sure if this issue should really have been a comment in that bug (marked as RESOLVED FIXED).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160809/c1074890/attachment.html>


More information about the webkit-unassigned mailing list