User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:18.104.22.168) Gecko/20110302 Iceweasel/3.5.16 (like Firefox/3.5.16) Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Hi. If I use the following (apache) configuration Header set X-Content-Security-Policy-Report-Only \ "allow *.domain1.tld *.domain2.tld; \ options eval-script inline-script; \ report-uri /perl/csp-report.pl" I find reports in my log about images with http:// urls on https:// pages as a violation of "allow *.domain1.tld *.domain2.tld". I don't see why they are violations. The schema is not mentioned in the policy. Sincerely, Joachim Reproducible: Always
CSP is working in this case in the way it was designed. You cannot white list all schemes with a wildcard; you must be explicit with schemes. From https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#source-expressions : > a scheme is not specified as part of the source expression, a user-agent must > use the same scheme as the protected document. In your case, https:// is inherited from the top-level page since no schemes are specified in the policy. To allow both, you have to whitelist both, e.g.: allow *.domain1.tld http://*.domain1.tld *.domain2.tld http://*.domain2.tld This was designed specifically to prevent sites from unintentionally white listing arbitrary protocols for their site content.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.