How we built it

CSP: Insecure source expressions match secure URLs.

In the wake of Sniffly, it seems pretty reasonable to prevent folks from locking themselves into insecurity. To that end, Insecure schemes in source expressions now match their secure variants. That is, `http:` is equivalent to `http: https:`, and `http://a.com` to `http://a.com https://a.com`.

Specification

Editor's draft

Status in Chromium

Enabled by default (launch bug) in:

  • Chrome for desktop release 49
  • Chrome for Android release 49
  • Android WebView release 49
  • Opera release 36
  • Opera for Android release 36

Consensus & Standardization

  • Shipped
  • No public signals
  • No public signals
  • No signals

Owner

Last updated on 2015-11-19