Index: Source/core/fetch/ResourceFetcher.cpp |
diff --git a/Source/core/fetch/ResourceFetcher.cpp b/Source/core/fetch/ResourceFetcher.cpp |
index a70e79ee4d91a7715082acb28f181730f1a634c1..a96f54a11a51d58b52f368128997c3d23c33f83c 100644 |
--- a/Source/core/fetch/ResourceFetcher.cpp |
+++ b/Source/core/fetch/ResourceFetcher.cpp |
@@ -557,6 +557,12 @@ bool ResourceFetcher::canRequest(Resource::Type type, const ResourceRequest& res |
return false; |
} |
+ // FIXME: Once we use RequestContext for CSP (http://crbug.com/390497), remove this extra check. |
+ if (resourceRequest.requestContext() == WebURLRequest::RequestContextManifest) { |
+ if (!shouldBypassMainWorldCSP && !csp->allowManifestFromSource(url, cspReporting)) |
+ return false; |
+ } |
+ |
// Measure the number of legacy URL schemes ('ftp://') and the number of embedded-credential |
// ('http://user:password@...') resources embedded as subresources. in the hopes that we can |
// block them at some point in the future. |