From what I know about CSPs, this looks syntactically correct. The HTML5 Rocks article on CSP agrees with your syntax, saying:
script-src https://host1.com https://host2.com
would correctly specify both origins as valid.
However, your problem may be that either:
This CSP disallows all subdomains, including
www.foo.com
andwww.example.com
. You can add those subdomain hostnames explicitly, or you can usehttps://*.foo.com
to allow all subdomains.If any of your script requests redirect to a non-permitted domain, the request will fail. For example, if
https://example.com/foo.js
responds with a301
or302
redirect tohttps://notpermitted.com/foo.js
(not-permitted origin) orhttps://www.example.com/foo.js
(non-permitted subdomain), the request will fail according to the spec:Whenever the user agent fetches a URI (including when following redirects)... if the URI does not match the allowed script sources, the user agent must act as if it had received an empty HTTP 400 response...
EDIT:
Just to confirm, yes, Chrome extensions can whitelist multiple HTTPS origins. You can build a simple extension to test this:
manifest.json
{
"name":"CSP Test",
"version":"1.0",
"manifest_version":2,
"browser_action":{
"default_popup":"csp_test.html"
},
"content_security_policy": "script-src 'self' https://www.iana.org https://ajax.googleapis.com; object-src 'self'"
}
csp_test.html
<script src="https://www.iana.org/_js/2013.1/jquery.js"></script>
<script src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.10.3/jquery-ui.min.js"></script>
<script src="csp_test.js"></script>
csp_test.js
alert(jQuery)
alert(jQuery.ui)
This extension loads jQuery and jQuery UI from remote domains. If you remove either origin from the CSP, you will see an "undefined
" alert signifying that one of the libraries failed to load.