Index: Source/core/frame/ContentSecurityPolicy.cpp |
diff --git a/Source/core/frame/ContentSecurityPolicy.cpp b/Source/core/frame/ContentSecurityPolicy.cpp |
index b3e3a1b0a210ec1bc934ed13e8e01d8dd0a0e857..694935156a8fadbd77f32877bda0ac776f52fa1d 100644 |
--- a/Source/core/frame/ContentSecurityPolicy.cpp |
+++ b/Source/core/frame/ContentSecurityPolicy.cpp |
@@ -241,7 +241,7 @@ private: |
bool schemeMatches(const KURL& url) const |
{ |
if (m_scheme.isEmpty()) { |
- String protectedResourceScheme(m_policy->securityOrigin()->protocol()); |
+ String protectedResourceScheme(m_policy->url().protocol()); |
if (equalIgnoringCase("http", protectedResourceScheme)) |
return url.protocolIs("http") || url.protocolIs("https"); |
return equalIgnoringCase(url.protocol(), protectedResourceScheme); |
@@ -715,7 +715,16 @@ bool CSPSourceList::parsePort(const UChar* begin, const UChar* end, int& port, b |
void CSPSourceList::addSourceSelf() |
{ |
- m_list.append(CSPSource(m_policy, m_policy->securityOrigin()->protocol(), m_policy->securityOrigin()->host(), m_policy->securityOrigin()->port(), String(), false, false)); |
+ if (Document* document = m_policy->document()) { |
+ // srcdoc documents should use their parent document's URL as 'self', so walk the chain. |
+ Frame* frame = document->frame(); |
+ while (frame->document()->isSrcdocDocument() && frame->tree().parent()) |
+ frame = frame->tree().parent(); |
+ document = frame->document(); |
+ m_list.append(CSPSource(m_policy, document->url().protocol(), document->url().host(), document->url().port(), String(), false, false)); |
+ } else { |
+ m_list.append(CSPSource(m_policy, m_policy->url().protocol(), m_policy->url().host(), m_policy->url().port(), String(), false, false)); |
+ } |
} |
void CSPSourceList::addSourceStar() |