Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow https: loads for http: restrictions #25

Closed
ckerschb opened this issue Oct 27, 2015 · 2 comments
Closed

Allow https: loads for http: restrictions #25

ckerschb opened this issue Oct 27, 2015 · 2 comments

Comments

@ckerschb
Copy link

Similar to what applies to schemeless resources where CSP allows https: loads, the spec should be changed to also allow https: loads to succeed if the CSP src is defined as http:

In easier words, taken a CSP:

img-src http:
the CSP should allow loading https: images.
@mikewest
Copy link
Member

I've thought about this a bit this morning after chatting with @TanviHacks and @rlbmoz, and I think it makes sense to always allow upgrades from insecure resources to secure resources at the same host and path. That is, if we do this for http:, we might as well do it for http://example.com and 'self' as well. I'll take a stab at this and #7 together, as they end up touching the same pieces.

@mikewest
Copy link
Member

Poked at this in 0e81d81. WDYT?

mikewest added a commit that referenced this issue Oct 28, 2015
@mikewest
Update changes after #25.
267a9ba
@diracdeltas diracdeltas mentioned this issue Oct 28, 2015
Closed
@michaelficarra michaelficarra mentioned this issue Oct 29, 2015
Closed
@shekyan shekyan mentioned this issue Oct 30, 2015
Closed
@J0WI J0WI mentioned this issue Oct 9, 2016
Closed
ryandel8834 added a commit to ryandel8834/WebAppSec-CSP that referenced this issue Aug 13, 2022
@ryandel8834
Update changes after w3c/webappsec-csp#25.
97185d5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mikewest @ckerschb