I came across <https://chromium.googlesource.com/chromium/src/+/7bd0a75e3f71a10e71ded31ea5905d5ee3d992eb> today (05/02). We should consider merging it. As per step 8.5.4 of section Does url match expression in origin with redirect count of the Content Security Policy Level 3 spec., we should perform a case-sensitive match of the path portion of the request URL against the path of the source expression regardless of whether the source expression ends in a '/'. The following is a re-publishing of the relevant section: [[ ... 8. If expression contains a non-empty path-part, and redirect count is 0, then: 1. Let exact match be false if the final character of expression’s path-part is the U+002F SOLIDUS character (/), and true otherwise. 2. Let path list be the result of strictly splitting expression’s path-part on the U+002F SOLIDUS character (/). 3. If path list has more items than url’s path, return "Does Not Match". 4. If exact match is true, and path list does not have the same number of items as url’s path, return "Does Not Match". 5. For each expression piece in path list: 1. Let url piece be the next item in url’s path. 2. Percent decode expression piece. 3. Percent decode url piece. 4. If expression piece is not a case-sensitive match for url piece, return "Does Not Match". ]] <https://w3c.github.io/webappsec-csp/#match-url-to-source-expression> (Editor's Draft, 27 April 2016) For example, suppose the Content Security Policy of a page is "script-src http://www.example.com/A/" and it contains <script src="http://www.example.com/a/b.js">. Then the <script> should be blocked by the Content Security Policy of the page because "http://www.example.com/a/b.js" does not start with "http://www.example.com/A/".