<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - CSP: Source '*' should not match URLs with schemes blob, data, or filesystem"

   href="https://bugs.webkit.org/show_bug.cgi?id=154122">154122</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>CSP: Source '*' should not match URLs with schemes blob, data, or filesystem

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>WebKit Local Build

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>WebCore Misc.

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>dbates&#64;webkit.org

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>webkit-bug-importer&#64;group.apple.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Source '*' should not match URLs with schemes blob, data, or filesystem as per section Matching Source Expressions of Content Security Policy 2.0 spec. (29 August 2015):

[[

4.2.2. Matching Source Expressions

A URL url is said to match a source expression for a protected resource if the following algorithm returns does match:

1. Let url be the result of processing the URL through the URL parser.

2. If the source expression consists of a single U+002A ASTERISK character (*), and url’s scheme is not one of blob, data, filesystem, then return does match.

...

]]

&lt;<a href="https://w3c.github.io/webappsec-csp/2/#match-source-expression">https://w3c.github.io/webappsec-csp/2/#match-source-expression</a>&gt;

This is further stressed in section Security Considerations for GUID URL schemes:

[[

4.2.2.1. Security Considerations for GUID URL schemes

This section is not normative.

As defined above, special URL schemes that refer to specific pieces of unique content, such as &quot;data:&quot;, &quot;blob:&quot; and &quot;filesystem:&quot; are excluded from matching a policy of * and must be explicitly listed.

]]

&lt;<a href="https://w3c.github.io/webappsec-csp/2/#source-list-guid-matching">https://w3c.github.io/webappsec-csp/2/#source-list-guid-matching</a>&gt;</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>