Upstream version 10.39.225.0

[platform/framework/web/crosswalk.git] / src / chrome / common / extensions / docs / templates / articles / contentSecurityPolicy.html

diff --git a/src/chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html b/src/chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html
index 8ed936f..83b0194 100644 (file)
--- a/src/chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html
+++ b/src/chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html
@@ -273,9 +273,18 @@ function main() {
   network attacker. As <a
   href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">man-in-the-middle
   attacks</a> are both trivial and undetectable over HTTP, those origins will
-  not be accepted. Currently, we allow whitelisting origins with the following
-  schemes: <code>HTTPS</code>, <code>chrome-extension</code>, and
-  <code>chrome-extension-resource</code>.
+  not be accepted.
+</p>
+
+<p>
+  Currently, we allow whitelisting origins with the following schemes:
+  <code>blob</code>, <code>filesystem</code>, <code>https</code>,
+  <code>chrome-extension</code>, and <code>chrome-extension-resource</code>.
+  The host part of the origin must explicitly be specified for the
+  <code>https</code> and <code>chrome-extension</code> schemes.
+  Generic wildcards such as <code>https:</code>, <code>https://*</code> and
+  <code>https://*.com</code> are not allowed; subdomain wildcards such as
+  <code>https://*.example.com</code> are allowed.
 </p>
 
 <p>