[Webkit-unassigned] [Bug 160656] CSP Wildcard support
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Aug 9 11:45:48 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=160656
--- Comment #2 from Craig Francis <craig+webkit at craigfrancis.co.uk> ---
Hi Daniel,
I see what you mean in regards to WebKit being more restrictive than CSP2, which allows * to match an arbitrary scheme except those in {data:, blob:, and filesystem:}.
Although I think Chrome is about to one up you (with the exception of ws/wss):
https://twitter.com/sshekyan/status/762873765143322624
"https://codereview.chromium.org/2209113002/ lands a breaking change in CSP: "*" only matches http/https/ws/wss, any other schemes have to be whitelisted."
I must admit I didn't test Firefox, but I would hope we can keep CSP as strict as possible (something Chrome seems to be ok with), but realise that backwards compatibility might have to take priority.
I should also thank you for continuing to improve the CSP implementation, it's good to see.
And please ignore my comment about Issue 153090... I wasn't sure if this issue should really have been a comment in that bug (marked as RESOLVED FIXED).
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160809/c1074890/attachment.html>
More information about the webkit-unassigned
mailing list