<a ping="..."> should be covered by connect-src CSP directive.

third_party/WebKit/Source/core/loader/PingLoader.cpp

 /*
  * Copyright (C) 2010 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 15 matching lines @@
  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
  */
 
 #include "core/loader/PingLoader.h"
 
 #include "core/dom/DOMArrayBufferView.h"
 #include "core/dom/Document.h"
+#include "core/dom/SecurityContext.h"
 #include "core/fetch/CrossOriginAccessControl.h"
 #include "core/fetch/FetchContext.h"
 #include "core/fetch/FetchInitiatorTypeNames.h"
 #include "core/fetch/FetchUtils.h"
 #include "core/fetch/ResourceFetcher.h"
 #include "core/fetch/UniqueIdentifier.h"
 #include "core/fileapi/File.h"
 #include "core/frame/FrameConsole.h"
 #include "core/frame/LocalFrame.h"
+#include "core/frame/csp/ContentSecurityPolicy.h"
 #include "core/html/FormData.h"
 #include "core/inspector/ConsoleMessage.h"
 #include "core/inspector/InspectorInstrumentation.h"
 #include "core/inspector/InspectorTraceEvents.h"
 #include "core/loader/FrameLoader.h"
 #include "core/loader/FrameLoaderClient.h"
 #include "core/loader/MixedContentChecker.h"
 #include "core/page/Page.h"
 #include "platform/exported/WrappedResourceRequest.h"
 #include "platform/exported/WrappedResourceResponse.h"
@@ skipping 411 matching lines @@
                  AllowStoredCredentials, false);
 }
 
 // http://www.whatwg.org/specs/web-apps/current-work/multipage/links.html#hyperlink-auditing
 void PingLoader::sendLinkAuditPing(LocalFrame* frame,
                                    const KURL& pingURL,
                                    const KURL& destinationURL) {
   if (!pingURL.protocolIsInHTTPFamily())
     return;
 
+  if (ContentSecurityPolicy* policy =
+          frame->securityContext()->contentSecurityPolicy()) {
+    if (!policy->allowConnectToSource(pingURL))
+      return;
+  }
+
   ResourceRequest request(pingURL);
   request.setHTTPMethod(HTTPNames::POST);
   request.setHTTPContentType("text/ping");
   request.setHTTPBody(EncodedFormData::create("PING"));
   request.setHTTPHeaderField(HTTPNames::Cache_Control, "max-age=0");
   finishPingRequestInitialization(request, frame,
                                   WebURLRequest::RequestContextPing);
 
   // addAdditionalRequestHeaders() will have added a referrer for same origin
   // requests, but the spec omits the referrer.
@@ skipping 65 matching lines @@
 bool PingLoader::sendBeacon(LocalFrame* frame,
                             int allowance,
                             const KURL& beaconURL,
                             Blob* data,
                             int& payloadLength) {
   BeaconBlob beacon(data);
   return sendBeaconCommon(frame, allowance, beaconURL, beacon, payloadLength);
 }
 
 }  // namespace blink