You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is I think out of date but it refers to an interesting spec change that we should document: w3c/webappsec-csp@0e81d81.
http: is not equivalent to http: https:, and ws: to ws: wss:.
Likewise, handling for 'self' now includes https: and wss: on
the protected resource's host.
(I think "not" above should be "now")
The idea I think is that:
if you specify http: as the scheme in a source expression, the browser will allow https:
if you specify ws: as the scheme in a source expression, the browser will allow wss:
if you specify 'self' in a source expression, then wss: is allowed for the scheme if the rest of the origin matches
The text was updated successfully, but these errors were encountered:
Josh-Cena
added
help wanted
If you know something about this topic, we would love your help!
and removed
needs triage
Triage needed by staff and/or partners. Automatically applied when an issue is opened.
labels
Oct 2, 2024
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src has a note:
This is I think out of date but it refers to an interesting spec change that we should document: w3c/webappsec-csp@0e81d81.
(I think "not" above should be "now")
The idea I think is that:
http:
as the scheme in a source expression, the browser will allowhttps:
ws:
as the scheme in a source expression, the browser will allowwss:
'self'
in a source expression, thenwss:
is allowed for the scheme if the rest of the origin matchesThe text was updated successfully, but these errors were encountered: