Bug 146723

Summary:

webkit handles CSP rules without protocol incorrectly

Product:

WebKit

Reporter:

ksajxai

Component:

Page Loading

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED DUPLICATE

Severity:

Normal

CC:

dbates, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
example of safari incorrectly blocking script loading	none

Description ksajxai 2015-07-08 06:21:32 PDT

Created attachment 256373 [details]
example of safari incorrectly blocking script loading

Webkit blocks loading resources if there is no protocol in CSP rule.
For example. it will block loading https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js with the rule *.googleapis.com, but will allow with http://*.googleapis.com
This applies to any domain and both http and https.
So, all browsers work correctly with 'script-src': "'self' 'unsafe-inline' 'unsafe-eval' *.googleapis.com:*", but for webkit safari I have to add https://*.googleapis.com, or they will generate me lots of csp reports, which do not actually violate anything.

This link http://content-security-policy.com/ says, that *.domain.domain should apply to both http and https and any subdomain.

Comment 1 Radar WebKit Bug Importer 2015-07-09 05:57:02 PDT

<rdar://problem/21744334>

Comment 2 Daniel Bates 2016-02-15 20:28:29 PST


*** This bug has been marked as a duplicate of bug 154177 ***