CSP: 'self' should work inside sandboxes.

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
index 78d0920ae9698b25d8ed3c04cf9c2c779198a056..2064ac7cca644ec9f2d823727a2bcdeda21556fc 100644
--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
@@ -157,11 +157,15 @@ void ContentSecurityPolicy::applyPolicySideEffectsToExecutionContext() {
   DCHECK(m_executionContext &&
          m_executionContext->securityContext().getSecurityOrigin());
 
-  setupSelf(*m_executionContext->securityContext().getSecurityOrigin());
 
   // If we're in a Document, set mixed content checking and sandbox
   // flags, then dump all the parsing error messages, then poke at histograms.
   if (Document* document = this->document()) {
+    // We use the origin of the document's base URL in order to deal correctly
+    // with things like 'about:srcdoc' and 'about:blank', which look to their
+    // parents for a reasonable URL.
+    setupSelf(*SecurityOrigin::create(document->baseURL()));
+
     if (m_sandboxMask != SandboxNone) {
       UseCounter::count(document, UseCounter::SandboxViaCSP);
       document->enforceSandboxFlags(m_sandboxMask);
@@ -186,6 +190,9 @@ void ContentSecurityPolicy::applyPolicySideEffectsToExecutionContext() {
       if (policy->allowDynamic())
         UseCounter::count(*document, UseCounter::CSPWithStrictDynamic);
     }
+  } else {
+    // If we're not in a document, set up 'self' with the Worker's origin:
+    setupSelf(*m_executionContext->securityContext().getSecurityOrigin());
   }
 
   // We disable 'eval()' even in the case of report-only policies, and rely on