Index: third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp |
diff --git a/third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp b/third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp |
index 9caeb9340d6a66a0b0480e6b466375fd44838ca0..9f96e06b4c34f3a060b709835307d3534af01fdd 100644 |
--- a/third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp |
+++ b/third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp |
@@ -45,7 +45,12 @@ CSPSourceList::CSPSourceList(ContentSecurityPolicy* policy, const String& direct |
bool CSPSourceList::matches(const KURL& url, ContentSecurityPolicy::RedirectStatus redirectStatus) const |
{ |
- if (m_allowStar) |
+ |
Mike West
2015/09/25 13:53:41
Nit: Drop the newline.
jww
2015/09/25 15:32:15
Done.
|
+ // The CSP spec specifically states that data:, blob:, and filesystem URLs |
+ // should not be captured by a '*" source: |
+ // http://www.w3.org/TR/CSP2/#source-list-guid-matching, so there is an |
+ // explicit check for those protocols here. |
+ if (m_allowStar && !url.protocolIs("blob") && !url.protocolIs("data") && !url.protocolIs("filesystem")) |
return true; |
KURL effectiveURL = m_policy->selfMatchesInnerURL() && SecurityOrigin::shouldUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url; |