<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - webkit handles CSP rules without protocol incorrectly"

   href="https://bugs.webkit.org/show_bug.cgi?id=146723">146723</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>webkit handles CSP rules without protocol incorrectly

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>528+ (Nightly build)

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Page Loading

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>ksajxai&#64;gmail.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Created <span class=""><a href="attachment.cgi?id=256373" name="attach_256373" title="example of safari incorrectly blocking script loading">attachment 256373</a> <a href="attachment.cgi?id=256373&amp;action=edit" title="example of safari incorrectly blocking script loading">[details]</a></span>

example of safari incorrectly blocking script loading

Webkit blocks loading resources if there is no protocol in CSP rule.

For example. it will block loading <a href="https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js">https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js</a> with the rule *.googleapis.com, but will allow with <a href="http://*.googleapis.com">http://*.googleapis.com</a>

This applies to any domain and both http and https.

So, all browsers work correctly with 'script-src': &quot;'self' 'unsafe-inline' 'unsafe-eval' *.googleapis.com:*&quot;, but for webkit safari I have to add <a href="https://*.googleapis.com">https://*.googleapis.com</a>, or they will generate me lots of csp reports, which do not actually violate anything.

This link <a href="http://content-security-policy.com/">http://content-security-policy.com/</a> says, that *.domain.domain should apply to both http and https and any subdomain.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>