Index: third_party/WebKit/Source/core/dom/Document.cpp |
diff --git a/third_party/WebKit/Source/core/dom/Document.cpp b/third_party/WebKit/Source/core/dom/Document.cpp |
index c8e19ff67dd7b76877a042ace84c8aa926ef0f41..b07106c22b218a5900469a429969d0923ff68bf7 100644 |
--- a/third_party/WebKit/Source/core/dom/Document.cpp |
+++ b/third_party/WebKit/Source/core/dom/Document.cpp |
@@ -4976,6 +4976,12 @@ void Document::initSecurityContext(const DocumentInit& initializer) |
// https://mikewest.github.io/cors-rfc1918/#csp). |
if (initializer.isHostedInReservedIPRange()) { |
setAddressSpace(getSecurityOrigin()->isLocalhost() ? WebAddressSpaceLocal : WebAddressSpacePrivate); |
+ } else if (getSecurityOrigin()->isLocal()) { |
+ // "Local" security origins (like 'file://...') are treated as having |
+ // a local address space. |
+ // |
+ // TODO(mkwst): It's not entirely clear that this is a good idea. |
+ setAddressSpace(WebAddressSpaceLocal); |
} else { |
setAddressSpace(WebAddressSpacePublic); |
} |