Bug 146723

Summary:

webkit handles CSP rules without protocol incorrectly

Product:

WebKit

Reporter:

ksajxai

Component:

Page Loading

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED DUPLICATE

Severity:

Normal

CC:

dbates, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
example of safari incorrectly blocking script loading	none

ksajxai

Reported 2015-07-08 06:21:32 PDT

Created attachment 256373 [details] example of safari incorrectly blocking script loading Webkit blocks loading resources if there is no protocol in CSP rule. For example. it will block loading https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js with the rule *.googleapis.com, but will allow with http://*.googleapis.com This applies to any domain and both http and https. So, all browsers work correctly with 'script-src': "'self' 'unsafe-inline' 'unsafe-eval' *.googleapis.com:*", but for webkit safari I have to add https://*.googleapis.com, or they will generate me lots of csp reports, which do not actually violate anything. This link http://content-security-policy.com/ says, that *.domain.domain should apply to both http and https and any subdomain.

Attachments
example of safari incorrectly blocking script loading (242.75 KB, image/jpeg) 2015-07-08 06:21 PDT, ksajxai	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2015-07-09 05:57:02 PDT

<rdar://problem/21744334>

Daniel Bates

Comment 2 2016-02-15 20:28:29 PST

*** This bug has been marked as a duplicate of bug 154177 ***

Note You need to log in before you can comment on or make changes to this bug.