Index: third_party/WebKit/Source/modules/worklet/Worklet.cpp |
diff --git a/third_party/WebKit/Source/modules/worklet/Worklet.cpp b/third_party/WebKit/Source/modules/worklet/Worklet.cpp |
index 54993701b26d3318a46beafde5caadf43c95419a..0a31eef99aec56f5a722cfaebc11f69318ffaa95 100644 |
--- a/third_party/WebKit/Source/modules/worklet/Worklet.cpp |
+++ b/third_party/WebKit/Source/modules/worklet/Worklet.cpp |
@@ -26,8 +26,9 @@ ScriptPromise Worklet::import(ScriptState* scriptState, const String& url) |
return ScriptPromise::rejectWithDOMException(scriptState, DOMException::create(SyntaxError, "'" + url + "' is not a valid URL.")); |
} |
- // TODO(ikilpatrick): Perform upfront CSP checks once we decide on a |
- // CSP-policy for worklets. |
+ if (!getExecutionContext()->securityContext().contentSecurityPolicy()->allowScriptFromSource(scriptURL, AtomicString())) { |
+ return ScriptPromise::rejectWithDOMException(scriptState, DOMException::create(NetworkError, "Access to '" + scriptURL.elidedString() + "' is denied by document's Content Security Policies.")); |
Mike West
2016/07/21 07:26:48
Hrm. This seems inconsistent with the way we handl
|
+ } |
ScriptPromiseResolver* resolver = ScriptPromiseResolver::create(scriptState); |
m_resolvers.append(resolver); |