Chrome -- Getting Started

SCP (Content Security Policy)

The core logic is here.

1. If the directive contains _, it allows HTTP family protocols (http/https) or URLs matching the current page’s scheme. This is why script-src _ allows scripts from any HTTP/HTTPS source.
2. If directive contains ‘self’, check if URL matches the current origin.
3. Check against explicitly listed sources (like https://example.com)
4. Special handling for WebSocket URLs with wildcards.

Blink

How Blink works