<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - CSP: Allow schemeless source expressions to match an HTTP or HTTPS resource"

   href="https://bugs.webkit.org/show_bug.cgi?id=154177">154177</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>CSP: Allow schemeless source expressions to match an HTTP or HTTPS resource

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>WebKit Nightly Build

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Keywords</th>

          <td>InRadar

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>WebCore Misc.

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>dbates&#64;webkit.org

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>dbates&#64;webkit.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Following up from <a class="bz_bug_link 

          bz_status_RESOLVED  bz_closed"

   title="RESOLVED FIXED - CSP 1.1: Schemeless source expressions match HTTPS resources on HTTP sites."

   href="show_bug.cgi?id=112573">bug #112573</a> and <a class="bz_bug_link 

          bz_status_RESOLVED  bz_closed"

   title="RESOLVED FIXED - CSP: Support checking content security policy without a script execution context"

   href="show_bug.cgi?id=153748">bug #153748</a>, we should remove the ENABLE(CSP_NEXT)-guard around the code in ContentSecurityPolicy::protocolMatchesSelf() so that we allow a schemeless source expression to match against a HTTP or HTTPS resource.

For example, assume the page <a href="http://www.example.com">http://www.example.com</a> has Content Security Policy script-src example.com. If the page loads an external JavaScript script <a href="https://example.com/script.js">https://example.com/script.js</a> then the load will be blocked by the Content Security Policy of the page because the scheme of the page (http) differs from the scheme of the requested script (https). But the load should be allowed by &lt;<a href="https://www.w3.org/TR/CSP2/#match-source-expression">https://www.w3.org/TR/CSP2/#match-source-expression</a>&gt; (21 July 2015).</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>