| Index: chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html
|
| diff --git a/chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html b/chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html
|
| index 8ed936f6a145dd0bd4787b4e870c24f460eea04e..a76c35170ae5bf363953feaace34afa01286e642 100644
|
| --- a/chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html
|
| +++ b/chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html
|
| @@ -274,8 +274,13 @@ function main() {
|
| href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">man-in-the-middle
|
| attacks</a> are both trivial and undetectable over HTTP, those origins will
|
| not be accepted. Currently, we allow whitelisting origins with the following
|
| - schemes: <code>HTTPS</code>, <code>chrome-extension</code>, and
|
| - <code>chrome-extension-resource</code>.
|
| + schemes: <code>blob</code>, <code>filesystem</code>, <code>https</code>,
|
| + <code>chrome-extension</code>, and <code>chrome-extension-resource</code>.
|
| + The host part of the origin must explicitly be specified for the
|
| + <code>https</code> and <code>chrome-extension</code> schemes. Wildcards are
|
| + not allowed, unless it is a subdomain wildcard.
|
| + For example, <code>https://*</code> is not allowed, but
|
| + <code>https://example.com</code> and <code>https://*.example.com</code> are.
|
| </p>
|
|
|
| <p>
|
|
|
Chromium Code Reviews
Issue 481643002:
Disallow non-subdomain wildcards in the extension's CSP (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master