canmove, Confirmed users
1,537
edits
Security/CSP/Specification: Difference between revisions
→Source Expression List
| Line 121: | Line 121: | ||
Source expressions may also specify a scheme and/or port. | Source expressions may also specify a scheme and/or port. | ||
If the scheme is not specified as part of the source expression | If the scheme is not specified as part of the source expression, a User Agent MUST ''use the same scheme as the protected document.'' | ||
If a port is not specified as the source expression, | If a port is not specified as the source expression, a User Agent MUST use the default port for the source's scheme (whether it is inherited or explicitly specified in the source expression). | ||
When a scheme alone is the entire source expression (e.g., <tt>javascript:</tt>) host and port restrictions | When a scheme alone is the entire source expression (e.g., <tt>javascript:</tt>) a User Agent MUST not enforce host and port restrictions. This is because for some schemes, host and port are irrelevant (e.g., <tt>data:</tt>). | ||
====Host-less Schemes==== | ====Host-less Schemes==== | ||
Valid sources do not always require a host. Schemes such as <tt>data | Valid sources do not always require a host. Schemes such as <tt>data</tt> can be enabled as a source by stating the name of the scheme followed by a colon. For example: | ||
;<tt>data:</tt>: expresses support for all data URIs. | ;<tt>data:</tt>: expresses support for all data URIs. | ||
| Line 142: | Line 139: | ||
====Hostname Wildcards==== | ====Hostname Wildcards==== | ||
Each source expression's host name | Each source expression's host name MAY contain up to one wildcard (*) and it MUST be the left-most DNS label. | ||
<i>Valid</i> wildcard host names expressions include "<tt>*.mozilla.com</tt>" and "<tt>*</tt>". | <i>Valid</i> wildcard host names expressions include "<tt>*.mozilla.com</tt>" and "<tt>*</tt>". | ||