'blob:' URLs should not match 'self' in CSP source expression lists.

Source/core/frame/csp/ContentSecurityPolicy.cpp

Index: Source/core/frame/csp/ContentSecurityPolicy.cpp
diff --git a/Source/core/frame/csp/ContentSecurityPolicy.cpp b/Source/core/frame/csp/ContentSecurityPolicy.cpp
index 9c6ccdf24fbfb02fba439c7df26c7cc19c738482..536a3ed9565b1a0b88153da84819477df705297a 100644
--- a/Source/core/frame/csp/ContentSecurityPolicy.cpp
+++ b/Source/core/frame/csp/ContentSecurityPolicy.cpp
@@ -953,6 +953,15 @@ bool ContentSecurityPolicy::protocolMatchesSelf(const KURL& url) const
     return equalIgnoringCase(url.protocol(), m_selfProtocol);
 }
 
+bool ContentSecurityPolicy::selfMatchesInnerURL() const
+{
+    // Due to backwards-compatibility concerns, we allow 'self' to match blob and filesystem URLs
+    // if we're in a context that bypasses Content Security Policy in the main world.
+    //
+    // TODO(mkwst): Revisit this once embedders have an opportunity to update their extension models.
+    return m_executionContext && SchemeRegistry::schemeShouldBypassContentSecurityPolicy(m_executionContext->securityOrigin()->protocol());
+}
+
 bool ContentSecurityPolicy::shouldBypassMainWorld(const ExecutionContext* context)
 {
     if (context && context->isDocument()) {