CSP hint: unique origins aren't hierarchical, so don't add slashes, *, etc. when declaring as a scheme-source. Just "data:" "blob:", etc.
@hillbrad Because even if the origins of a host-source expression and a blob URL match, the blob URL has no host (although its origin does)?
-
-
@hillbrad I think I don't understand at which step in the spec this fails. The origins match. -
@hillbrad http://www.w3.org/TR/CSP/#match-source-expression … step 4.4 first looks like it would block this, but it refers to the scheme of URL's origin, which is https - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.