- From: Neil Matatall <neilm@twitter.com>
- Date: Tue, 12 Feb 2013 15:00:58 -0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Yes, http page. Hmm even weirder: <img src="http://google.com/asdf"> <img src="https://google.com/asdf"> I didn't supply the www :) On https: it rejects http://google.com due to CSP violation. On Tue, Feb 12, 2013 at 2:41 PM, Adam Barth <w3c@adambarth.com> wrote: > Is this for an HTTP page? In the first case, you have an extra "www". > If you want to whitelist subdomains, you'll need to specific > *.google.com. > > On Tue, Feb 12, 2013 at 2:39 PM, Neil Matatall <neilm@twitter.com> wrote: >> Version 26.0.1407.0 canary >> >> On Tue, Feb 12, 2013 at 2:37 PM, Neil Matatall <neilm@twitter.com> wrote: >>> Given I have "X-Webkit-Csp: >>> default-src 'self' google.com chrome-extension:; img-src google.com >>> chrome-extension: data:; report-uri >>> https://twitter.com/scribes/csp_report;" >>> >>> I get: >>> >>> Refused to load the image 'http://www.google.com/asdf' because it >>> violates the following Content Security Policy directive: "img-src >>> google.com chrome-extension: data:". >>> >>> Refused to load the image 'https://google.com/asdf' because it >>> violates the following Content Security Policy directive: "img-src >>> google.com chrome-extension: data:". >>
Received on Tuesday, 12 February 2013 23:01:28 UTC