Both Chromium and Firefox decided to do case-sensitive matching for `path-part` of `source-expression`, despite both CSP v2 and v3 are telling to do case-insensitive match (I reported it in https://bugs.chromium.org/p/chromium/issues/detail?id=590502).

Given a header of `Content-Security-Policy: script-src localhost/a/B/c/d/`, the script `<script src="//localhost/a/b/c/d/script.js"></script>` should not be loaded, as specification doesn't provide special handling for non-first entry in `source-expression-path-list`. 
VULNERABILITY DETAILS

Example code that does not load the script in FF and loads in Chromium:
```
package main

import (
    "fmt"
    "net/http"
)
func main() {
    http.HandleFunc("/script/a/b/c/d/script.js", func(w http.ResponseWriter, r *http.Request) {
    fmt.Fprintln(w, `
    alert(1);
  `)
    })

    http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
        w.Header().Set("Content-Security-Policy", "script-src localhost:8888/script/a/b/C/D/")
    fmt.Fprintln(w, `<html>
    <body>
      <script src='/script/a/b/c/d/script.js'></script>
    </body>
  </html>`)
    })
    http.ListenAndServe(":8888", nil)
}

```

VERSION
Chrome Version: 50.0.2652.0 dev (64-bit)
Operating System: Darwin 15.3.0 Darwin Kernel Version 15.3.0; root:xnu-3248.30.4~1/RELEASE_X86_64 x86_64

REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: [tab, browser, etc.]
Crash State: [see link above: stack trace, registers, exception record]
Client ID (if relevant): [see link above]