Following up from bug #112573 and bug #153748, we should remove the ENABLE(CSP_NEXT)-guard around the code in ContentSecurityPolicy::protocolMatchesSelf() so that we allow a schemeless source expression to match against a HTTP or HTTPS resource. For example, assume the page http://www.example.com has Content Security Policy script-src example.com. If the page loads an external JavaScript script https://example.com/script.js then the load will be blocked by the Content Security Policy of the page because the scheme of the page (http) differs from the scheme of the requested script (https). But the load should be allowed by <https://www.w3.org/TR/CSP2/#match-source-expression> (21 July 2015).
<rdar://problem/22708772>
Created attachment 271196 [details] Patch and Layout Tests
Comment on attachment 271196 [details] Patch and Layout Tests r=me.
Comment on attachment 271196 [details] Patch and Layout Tests Clearing flags on attachment: 271196 Committed r196581: <http://trac.webkit.org/changeset/196581>
All reviewed patches have been landed. Closing bug.
*** Bug 146723 has been marked as a duplicate of this bug. ***
Is this patch supposed to be in iOS 9.3.5? The bug still exists on an iPhone 4 which is claiming to be up to date, although the date of closing the bug is February 2016.