Sorry for using this template, but the rest are irrelevant. 

As discussed in https://github.com/w3c/webappsec-csp/issues/69, we'd like to to change source expression matching logic to not match any schemes other than network schemes if source expression is "*". The caveat is that "ws"/"wss" schemes are not considered a network scheme.

On the other hand, CSP checks are performed in Fetch (https://fetch.spec.whatwg.org/#concept-websocket-establish), and by that time WebSocket request URLs are converted to "http"/"https" anyway.

Reasonable solution to conform to the new logic would be to deprecate WebSocket schemes at all, e.g. match "wss" if "https" is whitelisted, match "ws" if "http" is whitelisted, and ignore explicit "ws"/"wss" schemes in source expression, which will make matching a little less strict.

Unfortunately, there is a subset of corner-cases that is not backwards compatible:
`connect-src wss:` will not have any effect with the new logic, while it has a distinct meaning in CSP 2. We suspect that this pattern is very rare, if non-existent, in the wild. This chromium issue is opened to track the changes needed to collect metrics to see how often such policies are present.


VULNERABILITY DETAILS
Currently, non-local and non-network schemes are allowed by source expression "*".

VERSION
N/A

REPRODUCTION CASE
N/A