Re: Rough sketch of directives for CSP 1.1

On 3 May 2012 12:19, Hill, Brad <bhill@paypal-inc.com> wrote:
> I think he's asking, if I list  "http://example.com", it should also allow "https://example.com".
>
> We discussed this at TPAC on Day 1.  The notes say that we decided that "example.com" (no scheme) implied both http and https, but explicitly listing a scheme doesn't imply automatic upgrade is allowed.

Exactly, thanks.  However, that doesn't seem to match the
implementation in Chrome, so I filed a bug against it. 126117[0]

-tom

[0] https://code.google.com/p/chromium/issues/detail?id=126117

Received on Thursday, 3 May 2012 16:40:59 UTC