| Index: third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
|
| diff --git a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
|
| index 6a1e4bc6a5671ce07de0bd72fa94dbdd849d17f4..6afd03c976f03db12565c2ea4d7ea9d1b196fd51 100644
|
| --- a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
|
| +++ b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
|
| @@ -802,12 +802,12 @@ bool CSPDirectiveList::allowWorkerFromSource(
|
| const KURL& url,
|
| ResourceRequest::RedirectStatus redirectStatus,
|
| SecurityViolationReportingPolicy reportingPolicy) const {
|
| - // sources. So, we do this nested set of calls to 'operativeDirective()' to
|
| - // grab 'worker-src' if it exists, 'script-src' if it doesn't, and
|
| - // 'defaut-src' if neither are available.
|
| SourceListDirective* workerSrc = operativeDirective(
|
| m_workerSrc.get(), operativeDirective(m_scriptSrc.get()));
|
|
|
| + if (allowDynamicWorker())
|
| + return true;
|
| +
|
| // In CSP2, workers are controlled via 'child-src'. CSP3 moves them to
|
| // 'script-src'. In order to avoid breaking sites that allowed workers via
|
| // 'child-src' that would have been blocked via 'script-src', we'll
|
| @@ -875,6 +875,12 @@ bool CSPDirectiveList::allowDynamic() const {
|
| return checkDynamic(operativeDirective(m_scriptSrc.get()));
|
| }
|
|
|
| +bool CSPDirectiveList::allowDynamicWorker() const {
|
| + SourceListDirective* workerSrc = operativeDirective(
|
| + m_workerSrc.get(), operativeDirective(m_scriptSrc.get()));
|
| + return checkDynamic(workerSrc);
|
| +}
|
| +
|
| const String& CSPDirectiveList::pluginTypesText() const {
|
| ASSERT(hasPluginTypes());
|
| return m_pluginTypes->text();
|
|
|