canmove, Confirmed users
1,537
edits
Security/CSP/Spec: Difference between revisions
Jump to navigation
Jump to search
→Source Expression List: port inheritance steps
(→Source Expression List: port inheritance steps) |
|||
| Line 286: | Line 286: | ||
Source expressions are a combination of scheme and often host and port. Source expressions may contain wildcards. Examples of host-only source expressions are "<tt>*.mozilla.com</tt>" and "<tt>mozilla.org</tt>". Internationalized domain names are specified according to their [http://tools.ietf.org/html/rfc3492 punycode representations]. | Source expressions are a combination of scheme and often host and port. Source expressions may contain wildcards. Examples of host-only source expressions are "<tt>*.mozilla.com</tt>" and "<tt>mozilla.org</tt>". Internationalized domain names are specified according to their [http://tools.ietf.org/html/rfc3492 punycode representations]. | ||
Source expressions may also specify a scheme and/or port. If | Source expressions may also specify a scheme and/or port. | ||
If the scheme is not specified as part of the source expression it ''defaults to the same scheme as the protected document.'' | |||
If a port is not specified as the source expression, the port used for the source is either the default port for the source's scheme (if a scheme is specified) or if a scheme is not specified, both scheme and port are inherited from 'self' (the protected document). | |||
When a scheme alone is the entire source expression (e.g., <tt>javascript:</tt>) host and port restrictions are not enforced. This is because for some schemes, host and port are irrelevant (e.g., <tt>data:</tt>). | |||
Note that this inheriting of scheme and port cause SSL mixed content mode to be disabled by default. If a site wishes to include non-secure content in their top-level SSL page, they must opt-in to mixed content mode by specifying a non-secure scheme in the host expression. | |||
===Host-less Schemes=== | ===Host-less Schemes=== | ||