Skip to content

Note CSP host-source HTTP-vs-HTTPS restrictions#3899

Closed
sideshowbarker wants to merge 1 commit intomainfrom
sideshowbarker/csp-iframe-host-source-http-vs-https
Closed

Note CSP host-source HTTP-vs-HTTPS restrictions#3899
sideshowbarker wants to merge 1 commit intomainfrom
sideshowbarker/csp-iframe-host-source-http-vs-https

Conversation

@sideshowbarker
Copy link
Copy Markdown
Member

@sideshowbarker sideshowbarker commented Apr 7, 2021

Fixes #2460

@sideshowbarker sideshowbarker requested a review from a team as a code owner April 7, 2021 02:44
@sideshowbarker sideshowbarker requested review from mirunacurtean and removed request for a team April 7, 2021 02:44
@sideshowbarker sideshowbarker mentioned this pull request Apr 7, 2021
Closed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 7, 2021

Preview URLs

Flaws

URL: /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
Title: CSP: default-src
on GitHub

No flaws! 🎉

External URLs

URL: /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
Title: CSP: default-src
on GitHub

wbamberg
wbamberg reviewed Apr 7, 2021
View reviewed changes
Copy link
Copy Markdown
Collaborator

@wbamberg wbamberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @sideshowbarker !

I don't think this should be a warning note, it could just be a paragraph. And https://w3c.github.io/webappsec-csp/2/#match-source-expression is 404.

But also, I'm not sure I understand the content here. This is a version of the note at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors#sources, and it seems quite specific to iframes. But I don't understand what it means in the context of, say, the script-src directive.

It seems more like we want a general description of how URLs match against sources that omit the scheme, which presumably lives somewhere in https://w3c.github.io/webappsec-csp/#matching-urls.

@sideshowbarker sideshowbarker deleted the sideshowbarker/csp-iframe-host-source-http-vs-https branch April 7, 2021 05:34
@sideshowbarker sideshowbarker mentioned this pull request Jun 7, 2021
Merged
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 18, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@wbamberg wbamberg wbamberg left review comments

@mirunacurtean mirunacurtean Awaiting requested review from mirunacurtean

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CSP sources no URL scheme is specified note

2 participants

@sideshowbarker @wbamberg