CSP hint: unique origins aren't hierarchical, so don't add slashes, *, etc. when declaring as a scheme-source. Just "data:" "blob:", etc.
@hillbrad Wait, what? "blob:"? Doesn't allowing https://example.org/ implicitly allow blobs from there?
-
-
@tehjh No and unique schemes not matched by * either, because they are security-equivalent to 'unsafe-eval'. -
@hillbrad Because even if the origins of a host-source expression and a blob URL match, the blob URL has no host (although its origin does)? - 3 more replies
New conversation -
-
-
@tehjh Now that blobs have an origin and are frequently being used cross-origin, we may need to extend the syntax in CSP3.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.