CSP: Insecure source expressions match secure URLs.

Category: Security
Type: New or changed feature
Status: Enabled by default (Chrome 49)
Intent stage: None

Summary

In the wake of Sniffly, it seems pretty reasonable to prevent folks from locking themselves into insecurity. To that end, Insecure schemes in source expressions now match their secure variants. That is, `http:` is equivalent to `http: https:`, and `http://a.com` to `http://a.com https://a.com`.

Standards & signals

Specification: http://w3c.github.io/webappsec-csp/#changes-from-level-2
Firefox: Shipped/Shipping
Safari: No signal
Web developers: No signals
Tracking bug: https://crbug.com/558232

View on chromestatus.com