Index: third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp |
diff --git a/third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp b/third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp |
index 00180ad208fd855fb5762ba19c51fb87e37360da..328bafc244d64beabde5e86ef13eb3526d6dc117 100644 |
--- a/third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp |
+++ b/third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp |
@@ -47,13 +47,11 @@ CSPSourceList::CSPSourceList(ContentSecurityPolicy* policy, const String& direct |
bool CSPSourceList::matches(const KURL& url, ResourceRequest::RedirectStatus redirectStatus) const |
{ |
- // The CSP spec specifically states that only http:, https:, ws: and wss: should |
- // be captured by a '*" source. |
- // (https://w3c.github.io/webappsec-csp/#match-url-to-source-expression). Thus, |
- // in the case of a full wildcard, URLs with any other schemes are |
- // explicitly checked for in the source list before allowing them through. |
+ // Wildcards match network schemes ('http', 'https', 'ws', 'wss'), and the scheme of the |
+ // protected resource: https://w3c.github.io/webappsec-csp/#match-url-to-source-expression. |
+ // Other schemes, including custom schemes, must be explicitly listed in a source list. |
if (m_allowStar) { |
- if (url.protocolIsInHTTPFamily() || url.protocolIs("ws") || url.protocolIs("wss")) |
+ if (url.protocolIsInHTTPFamily() || url.protocolIs("ws") || url.protocolIs("wss") || m_policy->protocolMatchesSelf(url)) |
return true; |
return hasSourceMatchInList(url, redirectStatus); |