DescriptionCSP: 'self' should be handled correctly in sandboxes.
Currently, we're checking against the SecurityOrigin rather than the
document's URL. Normally this is perfectly fine, but if the document is
sandboxed, then the null security origin breaks the behavior of 'self'
in source expression lists.
This patch changes 'self' to refer to the URL of the protected resource,
and in the special case of srcdoc documents, to the URL of the protected
resource's parent browsing context's URL.
BUG=326806
Patch Set 1 #Patch Set 2 : Rebase #Messages
Total messages: 4 (0 generated)
|