User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36 Steps to reproduce: Have a page with the following CSP-policy: Content-Security-Policy: frame-src bankid://* and an iframe as follows: <iframe src="bankid://foobar"></iframe> If I'm reading the spec correctly, this should be an allowed host-source. A testcase exists here: https://peks.as/experiments/ffcsp1/ A workaround is to use frame-src bankid: instead, which works as expected. Actual results: The iframe is blocked by the CSP implementation and an error message is logged in the developer console: Content Security Policy: The page's settings blocked the loading of a resource at bankid://foobar ("frame-src bankid://*"). Expected results: No error in the console, the iframe shouldn't be blocked, and in this case an app associated with the custom scheme should have launched. This works as expected in Chrome 38.0.2125.104 m on Windows and in Mobile Safari on iOS 8.0.2.
Looks like this is a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=1075230 Cannot reproduce it in nightly 36.0a1 (2014-10-23) so this seems fixed.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1075230
You need to log in before you can comment on or make changes to this bug.