<a ping="..."> should be covered by connect-src CSP directive.

third_party/WebKit/Source/core/loader/PingLoader.cpp

 /*
  * Copyright (C) 2010 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 15 matching lines @@
  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
  */
 
 #include "core/loader/PingLoader.h"
 
 #include "core/dom/DOMArrayBufferView.h"
 #include "core/dom/Document.h"
+#include "core/dom/SecurityContext.h"
 #include "core/fetch/CrossOriginAccessControl.h"
 #include "core/fetch/FetchContext.h"
 #include "core/fetch/FetchInitiatorTypeNames.h"
 #include "core/fetch/FetchUtils.h"
 #include "core/fetch/ResourceFetcher.h"
 #include "core/fetch/UniqueIdentifier.h"
 #include "core/fileapi/File.h"
 #include "core/frame/FrameConsole.h"
 #include "core/frame/LocalFrame.h"
+#include "core/frame/csp/ContentSecurityPolicy.h"
 #include "core/html/FormData.h"
 #include "core/inspector/ConsoleMessage.h"
 #include "core/inspector/InspectorInstrumentation.h"
 #include "core/inspector/InspectorTraceEvents.h"
 #include "core/loader/FrameLoader.h"
 #include "core/loader/FrameLoaderClient.h"
 #include "core/loader/MixedContentChecker.h"
 #include "core/page/Page.h"
 #include "platform/exported/WrappedResourceRequest.h"
 #include "platform/exported/WrappedResourceResponse.h"
@@ skipping 352 matching lines @@
 }
 
 bool sendPingCommon(LocalFrame* frame,
                     ResourceRequest& request,
                     const AtomicString& initiator,
                     StoredCredentials credentialsAllowed,
                     bool isBeacon) {
   if (MixedContentChecker::shouldBlockFetch(frame, request, request.url()))
     return false;
 
+  if (ContentSecurityPolicy* policy =
+          frame->securityContext()->contentSecurityPolicy()) {
+    if (!policy->allowConnectToSource(request.url()))
+      return false;
+  }

[Mike West, 2016/11/08 14:24:59]

This does too much, as it also ends up applying CSP to certain kinds of image
loads (`PingLoader::loadImage`) and to CSP violation reports
(`PingLoader::sendViolationReport`). I'd suggest moving the check either to
`PingLoader::sendLinkAuditPing`, or out of `PingLoader` entirely, into
`HTMLAnchorElement::sendPings`. I'm happy either way.

[Łukasz Anforowicz, 2016/11/08 14:38:59]

Thanks for catching this.  I should have checked what other kinds of "pings"
there are... :-/

Done.

+
   // The loader keeps itself alive until it receives a response and disposes
   // itself.
   PingLoaderImpl* loader =
       new PingLoaderImpl(frame, request, initiator, credentialsAllowed, true);
   DCHECK(loader);
 
   return true;
 }
 
 bool sendBeaconCommon(LocalFrame* frame,
@@ skipping 125 matching lines @@
 bool PingLoader::sendBeacon(LocalFrame* frame,
                             int allowance,
                             const KURL& beaconURL,
                             Blob* data,
                             int& payloadLength) {
   BeaconBlob beacon(data);
   return sendBeaconCommon(frame, allowance, beaconURL, beacon, payloadLength);
 }
 
 }  // namespace blink