| Index: third_party/WebKit/Source/core/dom/Document.cpp
|
| diff --git a/third_party/WebKit/Source/core/dom/Document.cpp b/third_party/WebKit/Source/core/dom/Document.cpp
|
| index 906c2c85b5b24d1e7d5c452315586983e93e74ba..a9a9c5d6401156a672d72fc4011c8a37da70080a 100644
|
| --- a/third_party/WebKit/Source/core/dom/Document.cpp
|
| +++ b/third_party/WebKit/Source/core/dom/Document.cpp
|
| @@ -4917,8 +4917,6 @@ void Document::initSecurityContext(const DocumentInit& initializer)
|
| {
|
| ASSERT(!securityOrigin());
|
|
|
| - setHostedInReservedIPRange(initializer.isHostedInReservedIPRange());
|
| -
|
| if (!initializer.hasSecurityContext()) {
|
| // No source for a security context.
|
| // This can occur via document.implementation.createDocument().
|
| @@ -4959,6 +4957,15 @@ void Document::initSecurityContext(const DocumentInit& initializer)
|
| setSecurityOrigin(SecurityOrigin::create(m_url));
|
| }
|
|
|
| + // Set the address space before setting up CSP, as the latter may override
|
| + // the former via the 'treat-as-public-address' directive (see
|
| + // https://mikewest.github.io/cors-rfc1918/#csp).
|
| + if (initializer.isHostedInReservedIPRange()) {
|
| + setAddressSpace(securityOrigin()->isLocalhost() ? WebURLRequest::AddressSpaceLocal : WebURLRequest::AddressSpacePrivate);
|
| + } else {
|
| + setAddressSpace(WebURLRequest::AddressSpacePublic);
|
| + }
|
| +
|
| if (importsController()) {
|
| // If this document is an HTML import, grab a reference to it's master document's Content
|
| // Security Policy. We don't call 'initContentSecurityPolicy' in this case, as we can't
|
|
|
Chromium Code Reviews
Issue 1754713006:
CORS-RFC1918: Introduce the 'addressSpace' IDL attributes. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master