CSP 1.1: <meta> delivery should be ignored outside <head>.

Source/core/html/HTMLMetaElement-in.cpp

Index: Source/core/html/HTMLMetaElement-in.cpp
diff --git a/Source/core/html/HTMLMetaElement-in.cpp b/Source/core/html/HTMLMetaElement-in.cpp
index 00eb4dc73b691830815b16b12ebd112df2208617..f63a6f834ff1d3ca965cb4912eb1d4b076adc737 100644
--- a/Source/core/html/HTMLMetaElement-in.cpp
+++ b/Source/core/html/HTMLMetaElement-in.cpp
@@ -443,6 +443,18 @@ Node::InsertionNotificationRequest HTMLMetaElement::insertedInto(ContainerNode*
     return InsertionDone;
 }
 
+static bool inDocumentHead(HTMLMetaElement* element)
+{
+    if (!element->inDocument())
+        return false;
+
+    for (Element* current = element; current; current = current->parentElement()) {
+        if (current->hasTagName(HTMLNames::headTag))
+            return true;
+    }
+    return false;
+}
+
 void HTMLMetaElement::process()
 {
     if (!inDocument())
@@ -468,9 +480,10 @@ void HTMLMetaElement::process()
     // Get the document to process the tag, but only if we're actually part of DOM
     // tree (changing a meta tag while it's not in the tree shouldn't have any effect
     // on the document).
+
     const AtomicString& httpEquivValue = fastGetAttribute(http_equivAttr);
     if (!httpEquivValue.isEmpty())
-        document().processHttpEquiv(httpEquivValue, contentValue);
+        document().processHttpEquiv(httpEquivValue, contentValue, inDocumentHead(this));
 }
 
 const AtomicString& HTMLMetaElement::content() const