We should merge <https://src.chromium.org/viewvc/blink?view=rev&revision=180407>. Disallow an empty host in a CSP host-source directive Currently "https://" is accepted and treated like "https:". This behavior has never been part of any standard. The syntax is specified in http://www.w3.org/TR/CSP11/#source-list-syntax host-source = [ scheme-part "://" ] host-part [ port-part ] [ path-part ] host-part = "*" / [ "*." ] 1*host-char *( "." 1*host-char ) As you can see, the host-part is NOT optional.
<rdar://problem/24383366>
Created attachment 271461 [details] Patch
Comment on attachment 271461 [details] Patch r=me.
Committed r196653: <http://trac.webkit.org/changeset/196653>