CSP hint: unique origins aren't hierarchical, so don't add slashes, *, etc. when declaring as a scheme-source. Just "data:" "blob:", etc.
-
-
Replying to @hillbrad
@hillbrad Wait, what? "blob:"? Doesn't allowing https://example.org/ implicitly allow blobs from there?2 replies 0 retweets 0 likes -
Replying to @tehjh
@hillbrad http://www.w3.org/TR/CSP/#match-source-expression … step 4.4 first looks like it would block this, but it refers to the scheme of URL's origin, which is https1 reply 0 retweets 0 likes
@hillbrad Ah, nvm. Didn't realize that you can't just use Blob URIs from another origin.
2:43 PM - 21 Jul 2015
0 replies
0 retweets
0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.