canmove, Confirmed users
1,537
edits
Security/CSP/Spec: Difference between revisions
→Source Expression List
m (→report-uri) |
|||
| Line 293: | Line 293: | ||
Source expressions may also specify a scheme and/or port. | Source expressions may also specify a scheme and/or port. | ||
If the scheme is not specified as part of the source expression it ''defaults to the same scheme as the protected document.'' | If the scheme is not specified as part of the source expression it ''defaults to the same scheme as the protected document.'' | ||
If a port is not specified as the source expression, the port used for the source is | If a port is not specified as the source expression, the port used for the source is the default port for the source's scheme (whether it is inherited or explicitly specified in the source expression). | ||
When a scheme alone is the entire source expression (e.g., <tt>javascript:</tt>) host and port restrictions are not enforced. This is because for some schemes, host and port are irrelevant (e.g., <tt>data:</tt>). | When a scheme alone is the entire source expression (e.g., <tt>javascript:</tt>) host and port restrictions are not enforced. This is because for some schemes, host and port are irrelevant (e.g., <tt>data:</tt>). | ||
Note that this inheriting of scheme | Note that this inheriting of scheme causes SSL mixed content mode to be disabled by default. If a site wishes to include non-secure content in their top-level SSL page, they must opt-in to mixed content mode by specifying a non-secure scheme in the host expression. | ||
===Host-less Schemes=== | ===Host-less Schemes=== | ||