← Back to release summary

CSP2: Exclude 'blob:' and 'filesystem:' from the 'self' source expression.

Category

Security

Type

New or changed feature

Status

Enabled by default (Chrome 45)

Intent stage

None

Summary

In CSP2, the `'self'` source expression explicitly excludes `blob:` and `filesystem:`. This means that developers will need to add those schemes explicitly to their directives if they wish to include content at those URLs.

Standards & signals

• Specification: https://w3c.github.io/webappsec/specs/content-security-policy/#source-list-guid-matching
• Firefox: Positive
• Safari: No signal
• Web developers: No signals
• Tracking bug: https://crbug.com/473904

Docs: https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives

View on chromestatus.com