Embedding-CSP: Fixing path matching

third_party/WebKit/Source/core/frame/csp/CSPSource.cpp

Index: third_party/WebKit/Source/core/frame/csp/CSPSource.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/CSPSource.cpp b/third_party/WebKit/Source/core/frame/csp/CSPSource.cpp
index 81f66964e4db03816d773a155880f1434aa993bd..048ffcf414678e30ab747058100aef57f3019ed6 100644
--- a/third_party/WebKit/Source/core/frame/csp/CSPSource.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/CSPSource.cpp
@@ -74,7 +74,7 @@ bool CSPSource::hostMatches(const String& host) const {
 }
 
 bool CSPSource::pathMatches(const String& urlPath) const {
-  if (m_path.isEmpty())
+  if (m_path.isEmpty() || (m_path == "/" && urlPath.isEmpty()))
     return true;
 
   String path = decodeURLEscapeSequences(urlPath);
@@ -154,7 +154,9 @@ CSPSource* CSPSource::intersect(CSPSource* other) const {
   }
 
   String host = m_hostWildcard == NoWildcard ? m_host : other->m_host;
-  String path = other->pathMatches(m_path) ? m_path : other->m_path;
+  // Since sources are similar and paths match, pick the longer one.
+  String path =
+      m_path.length() > other->m_path.length() ? m_path : other->m_path;

[amalika, 2016/12/08 19:30:59]

Simplified the logic instead of adding another check. 

   // Choose this port if the other port is empty, has wildcard or is a port for
   // a less secure scheme such as "http" whereas scheme of this is "https", in
   // which case the lengths would differ.