[FedCM] Only compare origins, not paths, for CSP checks For compatibility with existing deployments, only compare origins. This has been discussed and agreed with Chrome Security in https://docs.google.com/document/d/16OwWXqg4tueno7xkQU7TPrF-qJle3KFqRUMHCFQ3rug/edit Fixed: 1320724 Change-Id: I2758727149757cef835cd10b4c4d04897f234098 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3630577 Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Yi Gu <yigu@chromium.org> Commit-Queue: Christian Biesinger <cbiesinger@chromium.org> Reviewed-by: Antonio Sartori <antoniosartori@chromium.org> Cr-Commit-Position: refs/heads/main@{#1002743}

commit: cff0ff189857308de7cdaed08a808669f1513cac [log] [tgz]
author: Christian Biesinger <cbiesinger@chromium.org> Thu May 12 18:30:26 2022
committer: Blink WPT Bot <blink-w3c-test-autoroller@chromium.org> Thu May 12 18:37:50 2022
tree: 7b5a8c738897fc9ed1237c1ddaa32eb7c9421966
parent: 7f4089c1f0ba37dc51fb3a220f8719ff98863374 [diff]
diff --git a/credential-management/fedcm.https.html.headers b/credential-management/fedcm.https.html.headers
index e907cdd..408f782 100644
--- a/credential-management/fedcm.https.html.headers
+++ b/credential-management/fedcm.https.html.headers

@@ -1 +1 @@
-Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; connect-src https://idp.test
+Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; connect-src https://idp.test/never/used/path
commit	cff0ff189857308de7cdaed08a808669f1513cac	[log] [tgz]
author	Christian Biesinger <cbiesinger@chromium.org>	Thu May 12 18:30:26 2022
committer	Blink WPT Bot <blink-w3c-test-autoroller@chromium.org>	Thu May 12 18:37:50 2022
tree	7b5a8c738897fc9ed1237c1ddaa32eb7c9421966
parent	7f4089c1f0ba37dc51fb3a220f8719ff98863374 [diff]