CSP: 'connect-src' should not cause exceptions.

third_party/WebKit/Source/modules/websockets/DOMWebSocket.cpp

 /*
  * Copyright (C) 2011 Google Inc.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 313 matching lines @@
     return;
   }
 
   if (!isPortAllowedForScheme(m_url)) {
     m_state = kClosed;
     exceptionState.throwSecurityError(
         "The port " + String::number(m_url.port()) + " is not allowed.");
     return;
   }
 
-  // FIXME: Convert this to check the isolated world's Content Security Policy
-  // once webkit.org/b/104520 is solved.

[tyoshino (SeeGerritForStatus), 2016/10/27 14:16:35]

is it fine to remove this? We still have the same comment for the code in
FrameFetchContext.cpp (which is, I think, the one mentioned in the CL
description). Remove that too if it's been fixed or wontfixed?

[Mike West, 2016/10/27 14:20:25]

Since it seems like the extensions team has entirely punted on the idea of
making the isolated world's policy apply to the isolated world's actions until
v3, which doesn't seem likely to happen, I'd call this WONTFIX.

[tyoshino (SeeGerritForStatus), 2016/10/27 14:22:13]

OK

   if (!ContentSecurityPolicy::shouldBypassMainWorld(getExecutionContext()) &&
       !getExecutionContext()->contentSecurityPolicy()->allowConnectToSource(
           m_url)) {
     m_state = kClosed;
-    // The URL is safe to expose to JavaScript, as this check happens
-    // synchronously before redirection.
-    exceptionState.throwSecurityError(
-        "Refused to connect to '" + m_url.elidedString() +
-        "' because it violates the document's Content Security Policy.");
+
+    // Delay the event dispatch until after the current task by suspending and
+    // resuming the queue. If we don't do this, the event is fired synchronously
+    // with the constructor, meaning that it's impossible to listen for.
+    m_eventQueue->suspend();
+    m_eventQueue->dispatch(Event::create(EventTypeNames::error));
+    m_eventQueue->resume();
     return;
   }
 
   // Fail if not all elements in |protocols| are valid.
   for (size_t i = 0; i < protocols.size(); ++i) {
     if (!isValidSubprotocolString(protocols[i])) {
       m_state = kClosed;
       exceptionState.throwDOMException(
           SyntaxError, "The subprotocol '" +
                            encodeSubprotocolString(protocols[i]) +
@@ skipping 505 matching lines @@
 
 DEFINE_TRACE(DOMWebSocket) {
   visitor->trace(m_channel);
   visitor->trace(m_eventQueue);
   WebSocketChannelClient::trace(visitor);
   EventTargetWithInlineData::trace(visitor);
   ActiveDOMObject::trace(visitor);
 }
 
 }  // namespace blink