Re: CSP - matching a URI against a source expression with no scheme

Hi Janusz!

In CSP 1.1, the matching behavior for a schemeless source expression relies
on the origin of the resource being protected. See step 3.4 of section for detail.

The intention is that 'script-src' would match both '' and '' when
applied to a resource itself served over HTTP. If the protected resource is
served over HTTPS, then 'script-src' would match only ''

some discussion around that decision.

Mike West <>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+:, Twitter: @mikewest, Cell: +49 162 10 255 91

On Wed, Mar 13, 2013 at 10:37 AM, Janusz Majnert <> wrote:

> Hi,
> If I understand correctly, matching the URI:
> "" against the source expression
> "" shall return a positive match?
> I would also like to ask for a clarification on point 3.4 of the
> matching algorithm (
> "uri-scheme" is the scheme part of the URI (according to point 3.2),
> why should it be compared to the scheme of the URI it was derived
> from? Or is "protected resource's URI" different from the URI being
> matched?
> Regards,
> Janusz Majnert

Received on Monday, 18 March 2013 10:38:02 UTC