Canmove, confirm
1,537
edits
Changes
→Source Expression List
Source expressions may also specify a scheme and/or port.
If the scheme is not specified as part of the source expression it , a User Agent MUST ''defaults to use the same scheme as the protected document.'' If a port is not specified as the source expression, the port used for the source is a User Agent MUST use the default port for the source's scheme (whether it is inherited or explicitly specified in the source expression).
When a scheme alone is the entire source expression (e.g., <tt>javascript:</tt>) a User Agent MUST not enforce host and port restrictions are not enforced. This is because for some schemes, host and port are irrelevant (e.g., <tt>data:</tt>). Note that this inheriting of scheme causes SSL mixed content mode to be disabled by default. If a site wishes to include non-secure content in their top-level SSL page, they must opt-in to mixed content mode by specifying a non-secure scheme in the host expression.
====Host-less Schemes====
Valid sources do not always require a host. Schemes such as <tt>data</tt> and <tt>javascript</tt> can be enabled as a source by stating the name of the scheme followed by a colon. For example:;<tt>javascript:</tt>: allows javascript URIs
;<tt>data:</tt>: expresses support for all data URIs.
====Hostname Wildcards====
Each source expression's host name may MAY contain up to one wildcard (*) and it must MUST be the left-most DNS label.
<i>Valid</i> wildcard host names expressions include "<tt>*.mozilla.com</tt>" and "<tt>*</tt>".
