Enable checking for Content Security Policies before loading an external worklet script.

third_party/WebKit/Source/modules/worklet/Worklet.cpp

Index: third_party/WebKit/Source/modules/worklet/Worklet.cpp
diff --git a/third_party/WebKit/Source/modules/worklet/Worklet.cpp b/third_party/WebKit/Source/modules/worklet/Worklet.cpp
index 54993701b26d3318a46beafde5caadf43c95419a..0a31eef99aec56f5a722cfaebc11f69318ffaa95 100644
--- a/third_party/WebKit/Source/modules/worklet/Worklet.cpp
+++ b/third_party/WebKit/Source/modules/worklet/Worklet.cpp
@@ -26,8 +26,9 @@ ScriptPromise Worklet::import(ScriptState* scriptState, const String& url)
         return ScriptPromise::rejectWithDOMException(scriptState, DOMException::create(SyntaxError, "'" + url + "' is not a valid URL."));
     }
 
-    // TODO(ikilpatrick): Perform upfront CSP checks once we decide on a
-    // CSP-policy for worklets.
+    if (!getExecutionContext()->securityContext().contentSecurityPolicy()->allowScriptFromSource(scriptURL, AtomicString())) {
+        return ScriptPromise::rejectWithDOMException(scriptState, DOMException::create(NetworkError, "Access to '" + scriptURL.elidedString() + "' is denied by document's Content Security Policies."));

[Mike West, 2016/07/21 07:26:48]

Hrm. This seems inconsistent with the way we handle most other requests. It
doesn't handle redirect responses, for instance.

We currently do most of the CSP checks in `FrameFetchContext::canRequest`
(called from `ResourceFetcher`). Does this loader not route through that
mechanism? It appears that we're checking for worker requests in
`ContentSecurityPolicy::allowRequest`, for instance.

+    }
 
     ScriptPromiseResolver* resolver = ScriptPromiseResolver::create(scriptState);
     m_resolvers.append(resolver);