Bug 146723 - webkit handles CSP rules without protocol incorrectly
Summary: webkit handles CSP rules without protocol incorrectly
Status: RESOLVED DUPLICATE of bug 154177
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2015-07-08 06:21 PDT by ksajxai
Modified: 2016-02-15 20:28 PST (History)
2 users (show)

See Also:

Attachments
example of safari incorrectly blocking script loading (242.75 KB, image/jpeg)
2015-07-08 06:21 PDT, ksajxai 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description ksajxai 2015-07-08 06:21:32 PDT 
Created attachment 256373 [details]
example of safari incorrectly blocking script loading

Webkit blocks loading resources if there is no protocol in CSP rule.
For example. it will block loading https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js with the rule *.googleapis.com, but will allow with http://*.googleapis.com
This applies to any domain and both http and https.
So, all browsers work correctly with 'script-src': "'self' 'unsafe-inline' 'unsafe-eval' *.googleapis.com:*", but for webkit safari I have to add https://*.googleapis.com, or they will generate me lots of csp reports, which do not actually violate anything.

This link http://content-security-policy.com/ says, that *.domain.domain should apply to both http and https and any subdomain.
Comment 1 Radar WebKit Bug Importer 2015-07-09 05:57:02 PDT 
<rdar://problem/21744334>
Comment 2 Daniel Bates 2016-02-15 20:28:29 PST 

*** This bug has been marked as a duplicate of bug 154177 ***