We should merge <https://src.chromium.org/viewvc/blink?view=rev&revision=180407>.
Disallow an empty host in a CSP host-source directive
Currently "https://" is accepted and treated like "https:". This behavior has never been part of any standard.
The syntax is specified in http://www.w3.org/TR/CSP11/#source-list-syntax
host-source = [ scheme-part "://" ] host-part [ port-part ] [ path-part ]
host-part = "*" / [ "*." ] 1*host-char *( "." 1*host-char )
As you can see, the host-part is NOT optional.
Created attachment 271461 [details]
Comment on attachment 271461 [details]
Committed r196653: <http://trac.webkit.org/changeset/196653>