| Index: chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html
|
| diff --git a/chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html b/chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html
|
| index 8ed936f6a145dd0bd4787b4e870c24f460eea04e..83b019466630a89c66084457729a6c09f9442485 100644
|
| --- a/chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html
|
| +++ b/chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html
|
| @@ -273,9 +273,18 @@ function main() {
|
| network attacker. As <a
|
| href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">man-in-the-middle
|
| attacks</a> are both trivial and undetectable over HTTP, those origins will
|
| - not be accepted. Currently, we allow whitelisting origins with the following
|
| - schemes: <code>HTTPS</code>, <code>chrome-extension</code>, and
|
| - <code>chrome-extension-resource</code>.
|
| + not be accepted.
|
| +</p>
|
| +
|
| +<p>
|
| + Currently, we allow whitelisting origins with the following schemes:
|
| + <code>blob</code>, <code>filesystem</code>, <code>https</code>,
|
| + <code>chrome-extension</code>, and <code>chrome-extension-resource</code>.
|
| + The host part of the origin must explicitly be specified for the
|
| + <code>https</code> and <code>chrome-extension</code> schemes.
|
| + Generic wildcards such as <code>https:</code>, <code>https://*</code> and
|
| + <code>https://*.com</code> are not allowed; subdomain wildcards such as
|
| + <code>https://*.example.com</code> are allowed.
|
| </p>
|
|
|
| <p>
|
|
|
Chromium Code Reviews
Issue 481643002:
Disallow non-subdomain wildcards in the extension's CSP (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master