Index: third_party/WebKit/Source/core/loader/DocumentLoader.cpp |
diff --git a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp |
index c264aa70e61d854b124a7713dee1358429a496bf..043e2e7e1ad479cce13ef7fbc2fb28577f0b4d3a 100644 |
--- a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp |
+++ b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp |
@@ -469,16 +469,23 @@ void DocumentLoader::responseReceived( |
frameLoader()->requiredCSP(), ContentSecurityPolicyHeaderTypeEnforce, |
ContentSecurityPolicyHeaderSourceHTTP); |
} else { |
- String message = "Refused to display '" + response.url().elidedString() + |
- "' because it has not opted-into the following policy " |
- "required by its embedder: '" + |
- frameLoader()->requiredCSP() + "'."; |
- ConsoleMessage* consoleMessage = ConsoleMessage::createForRequest( |
- SecurityMessageSource, ErrorMessageLevel, message, response.url(), |
- mainResourceIdentifier()); |
- frame()->document()->addConsoleMessage(consoleMessage); |
- cancelLoadAfterXFrameOptionsOrCSPDenied(response); |
- return; |
+ ContentSecurityPolicy* embeddingCSP = ContentSecurityPolicy::create(); |
+ embeddingCSP->addPolicyFromHeaderValue( |
+ frameLoader()->requiredCSP(), ContentSecurityPolicyHeaderTypeEnforce, |
+ ContentSecurityPolicyHeaderSourceHTTP); |
+ if (!embeddingCSP->subsumes(*m_contentSecurityPolicy)) { |
+ String message = "Refused to display '" + |
+ response.url().elidedString() + |
+ "' because it has not opted-into the following policy " |
+ "required by its embedder: '" + |
+ frameLoader()->requiredCSP() + "'."; |
+ ConsoleMessage* consoleMessage = ConsoleMessage::createForRequest( |
+ SecurityMessageSource, ErrorMessageLevel, message, response.url(), |
+ mainResourceIdentifier()); |
+ frame()->document()->addConsoleMessage(consoleMessage); |
+ cancelLoadAfterXFrameOptionsOrCSPDenied(response); |
+ return; |
+ } |
} |
} |