CORS-RFC1918: Introduce the 'addressSpace' IDL attributes.

third_party/WebKit/Source/core/dom/Document.cpp

Index: third_party/WebKit/Source/core/dom/Document.cpp
diff --git a/third_party/WebKit/Source/core/dom/Document.cpp b/third_party/WebKit/Source/core/dom/Document.cpp
index 2dcaf63d8c8d9efcd981b3ddcf8c38892f1dceca..a716c3679a1c3ba53662cf38a4915a6ffa886282 100644
--- a/third_party/WebKit/Source/core/dom/Document.cpp
+++ b/third_party/WebKit/Source/core/dom/Document.cpp
@@ -4918,8 +4918,6 @@ void Document::initSecurityContext(const DocumentInit& initializer)
 {
     ASSERT(!securityOrigin());
 
-    setHostedInReservedIPRange(initializer.isHostedInReservedIPRange());
-
     if (!initializer.hasSecurityContext()) {
         // No source for a security context.
         // This can occur via document.implementation.createDocument().
@@ -4960,6 +4958,16 @@ void Document::initSecurityContext(const DocumentInit& initializer)
         setSecurityOrigin(SecurityOrigin::create(m_url));
     }
 
+    // Set the address space before setting up CSP, as the latter may override

[philipj_slow, 2016/03/04 04:35:08]

OK, so that's https://mikewest.github.io/cors-rfc1918/#csp

It was not hard to figure this out, but can you make reference to
treat-as-public-address here to help the reader along?

[Mike West, 2016/03/04 08:58:21]

Done.

+    // the former.
+    if (initializer.isHostedInReservedIPRange()) {
+        setAddressSpace(securityOrigin()->isLocalhost()
+            ? WebURLRequest::AddressSpaceLocal
+            : WebURLRequest::AddressSpacePrivate);
+    } else {
+        setAddressSpace(WebURLRequest::AddressSpacePublic);
+    }
+
     if (importsController()) {
         // If this document is an HTML import, grab a reference to it's master document's Content
         // Security Policy. We don't call 'initContentSecurityPolicy' in this case, as we can't