W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2013

Re: No scheme in policy: Errors for either scheme

From: Neil Matatall <neilm@twitter.com>
Date: Tue, 12 Feb 2013 15:00:58 -0800
Message-ID: <CAOFLtbg0LVr615_=p5CiMExc9yi3pBB87B-QALVQACXQ_PWB3Q@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Yes, http page.

Hmm even weirder:

<img src="http://google.com/asdf">
<img src="https://google.com/asdf">

I didn't supply the www :)

On https: it rejects http://google.com due to CSP violation.

On Tue, Feb 12, 2013 at 2:41 PM, Adam Barth <w3c@adambarth.com> wrote:
> Is this for an HTTP page?  In the first case, you have an extra "www".
>  If you want to whitelist subdomains, you'll need to specific
> *.google.com.
>
> On Tue, Feb 12, 2013 at 2:39 PM, Neil Matatall <neilm@twitter.com> wrote:
>> Version 26.0.1407.0 canary
>>
>> On Tue, Feb 12, 2013 at 2:37 PM, Neil Matatall <neilm@twitter.com> wrote:
>>> Given I have "X-Webkit-Csp:
>>> default-src 'self' google.com chrome-extension:; img-src google.com
>>> chrome-extension: data:; report-uri
>>> https://twitter.com/scribes/csp_report;"
>>>
>>> I get:
>>>
>>> Refused to load the image 'http://www.google.com/asdf' because it
>>> violates the following Content Security Policy directive: "img-src
>>> google.com chrome-extension: data:".
>>>
>>> Refused to load the image 'https://google.com/asdf' because it
>>> violates the following Content Security Policy directive: "img-src
>>> google.com chrome-extension: data:".
>>
Received on Tuesday, 12 February 2013 23:01:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 12 February 2013 23:01:29 GMT