<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[196528] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/196528">196528</a></dd>
<dt>Author</dt> <dd>dbates@webkit.org</dd>
<dt>Date</dt> <dd>2016-02-12 16:24:28 -0800 (Fri, 12 Feb 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>CSP: 'blob:' URLs should not match 'self' in CSP source expression lists.
https://bugs.webkit.org/show_bug.cgi?id=153158
<rdar://problem/24383264>
Reviewed by Brent Fulgham.
Source/WebCore:
A blob URL should not match source 'self' by section Security Considerations for GUID URL schemes
of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/CSP2/> (21 July 2015).
Tests: http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self.html
http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob.html
* page/csp/ContentSecurityPolicySourceList.cpp:
(WebCore::ContentSecurityPolicySourceList::matches): Do not make a distinction between URLs that
contain a nested URL (e.g. blob://http://www.example.com/...) and URLs that do not contain a nested
URL. The URL of the requested resource should be matched against the source list source expressions.
LayoutTests:
Add test http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob.html to ensure that a
blob URL matches source "blob:".
Replaced text-only test http/tests/security/contentSecurityPolicy/blob-urls-match-self.html with an
analogous reference test http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self.html
so as ensure that we do not regress the behavior that source 'self' should not match a blob URL
without considering the Content Security Policy violation message as part of the expected result.
The Content Security Policy violation message will differ between test runs because it references
the blob URL that triggered the violation, which is cryptographically random.
* TestExpectations: Remove entry for test http/tests/security/contentSecurityPolicy/blob-urls-match-self.html as the analogous test
blob-url-does-not-match-source-self.htm now passes.
* http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self-expected.html: Added.
* http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self.html: Added.
* http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob.html: Added.
* http/tests/security/contentSecurityPolicy/blob-urls-match-self-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/blob-urls-match-self.html: Removed. See the analogous test blob-url-does-not-match-source-self.html.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsTestExpectations">trunk/LayoutTests/TestExpectations</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicySourceListcpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicybloburldoesnotmatchsourceselfexpectedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self-expected.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicybloburldoesnotmatchsourceselfhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicybloburlmatchessourceblobexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicybloburlmatchessourceblobhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob.html</a></li>
</ul>
<h3>Removed Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicybloburlsmatchselfexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicybloburlsmatchselfhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (196527 => 196528)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-02-13 00:22:53 UTC (rev 196527)
+++ trunk/LayoutTests/ChangeLog 2016-02-13 00:24:28 UTC (rev 196528)
</span><span class="lines">@@ -1,5 +1,32 @@
</span><span class="cx"> 2016-02-12 Daniel Bates <dabates@apple.com>
</span><span class="cx">
</span><ins>+ CSP: 'blob:' URLs should not match 'self' in CSP source expression lists.
+ https://bugs.webkit.org/show_bug.cgi?id=153158
+ <rdar://problem/24383264>
+
+ Reviewed by Brent Fulgham.
+
+ Add test http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob.html to ensure that a
+ blob URL matches source "blob:".
+
+ Replaced text-only test http/tests/security/contentSecurityPolicy/blob-urls-match-self.html with an
+ analogous reference test http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self.html
+ so as ensure that we do not regress the behavior that source 'self' should not match a blob URL
+ without considering the Content Security Policy violation message as part of the expected result.
+ The Content Security Policy violation message will differ between test runs because it references
+ the blob URL that triggered the violation, which is cryptographically random.
+
+ * TestExpectations: Remove entry for test http/tests/security/contentSecurityPolicy/blob-urls-match-self.html as the analogous test
+ blob-url-does-not-match-source-self.htm now passes.
+ * http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self-expected.html: Added.
+ * http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self.html: Added.
+ * http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob.html: Added.
+ * http/tests/security/contentSecurityPolicy/blob-urls-match-self-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/blob-urls-match-self.html: Removed. See the analogous test blob-url-does-not-match-source-self.html.
+
+2016-02-12 Daniel Bates <dabates@apple.com>
+
</ins><span class="cx"> CSP: Implement child-src directive
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=153562
</span><span class="cx"> <rdar://problem/24610087>
</span></span></pre></div>
<a id="trunkLayoutTestsTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/TestExpectations (196527 => 196528)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/TestExpectations 2016-02-13 00:22:53 UTC (rev 196527)
+++ trunk/LayoutTests/TestExpectations 2016-02-13 00:24:28 UTC (rev 196528)
</span><span class="lines">@@ -816,7 +816,6 @@
</span><span class="cx"> webkit.org/b/153153 http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html
</span><span class="cx"> webkit.org/b/153154 http/tests/security/contentSecurityPolicy/redirect-does-not-match-paths.html
</span><span class="cx"> webkit.org/b/153155 http/tests/security/contentSecurityPolicy/style-src-blocked-error-event.html
</span><del>-webkit.org/b/153158 http/tests/security/contentSecurityPolicy/blob-urls-match-self.html [ Failure ]
</del><span class="cx"> webkit.org/b/153159 http/tests/security/contentSecurityPolicy/image-document-default-src-none.html [ Failure ]
</span><span class="cx"> webkit.org/b/153160 http/tests/security/contentSecurityPolicy/object-src-does-not-affect-child.html [ Failure ]
</span><span class="cx"> webkit.org/b/153160 http/tests/security/contentSecurityPolicy/plugin-in-iframe-with-csp.html [ Failure ]
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicybloburldoesnotmatchsourceselfexpectedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self-expected.html (0 => 196528)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self-expected.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self-expected.html 2016-02-13 00:24:28 UTC (rev 196528)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<!-- This is an reference HTML document as opposed to a plain text file so as to avoid the need the include the text of
+the Content Security Policy console message when the blob-URL is blocked. The Content Security Policy console message
+will differ between test runs because it contains the uniquely generated blob-URL that triggered the violation. -->
+<p>This tests that a blob-URL JavaScript script fails to load because it does not match Content Security Policy <code>script-src 'self'</code>.</p>
+<pre>PASS fired error event for blob-URL script.</pre>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicybloburldoesnotmatchsourceselfhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self.html (0 => 196528)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self.html 2016-02-13 00:24:28 UTC (rev 196528)
</span><span class="lines">@@ -0,0 +1,38 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'">
+<script>
+if (window.testRunner)
+ testRunner.waitUntilDone();
+</script>
+</head>
+<body>
+<p>This tests that a blob-URL JavaScript script fails to load because it does not match Content Security Policy <code>script-src 'self'</code>.</p>
+<pre id="console"></pre>
+<script>
+function log(message)
+{
+ document.getElementById("console").appendChild(document.createTextNode(message + "\n"));
+}
+
+function done()
+{
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+var script = document.createElement("script");
+script.onload = function () {
+ log("FAIL should not have fired load event for blob-URL script.");
+ done();
+}
+script.onerror = function () {
+ log("PASS fired error event for blob-URL script.");
+ done();
+}
+script.src = window.URL.createObjectURL(new Blob(["log('FAIL should not have executed blob-URL script.');"]));
+document.head.appendChild(script);
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicybloburlmatchessourceblobexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob-expected.txt (0 => 196528)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob-expected.txt 2016-02-13 00:24:28 UTC (rev 196528)
</span><span class="lines">@@ -0,0 +1,5 @@
</span><ins>+This tests that a blob-URL JavaScript script loads with Content Security Policy script-src blob:.
+
+PASS executed blob-URL script.
+PASS fired load event for blob-URL script.
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicybloburlmatchessourceblobhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob.html (0 => 196528)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob.html 2016-02-13 00:24:28 UTC (rev 196528)
</span><span class="lines">@@ -0,0 +1,38 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="script-src blob: 'unsafe-inline'">
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<p>This tests that a blob-URL JavaScript script loads with Content Security Policy <code>script-src blob:</code>.</p>
+<pre id="console"></pre>
+<script>
+function log(message)
+{
+ document.getElementById("console").appendChild(document.createTextNode(message + "\n"));
+}
+
+function done()
+{
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+var script = document.createElement("script");
+script.onload = function () {
+ log("PASS fired load event for blob-URL script.");
+ done();
+}
+script.onerror = function () {
+ log("FAIL should not have fired error event for blob-URL script.");
+ done();
+}
+script.src = window.URL.createObjectURL(new Blob(["log('PASS executed blob-URL script.');"]));
+document.head.appendChild(script);
+</script>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicybloburlsmatchselfexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self-expected.txt (196527 => 196528)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self-expected.txt 2016-02-13 00:22:53 UTC (rev 196527)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self-expected.txt 2016-02-13 00:24:28 UTC (rev 196528)
</span><span class="lines">@@ -1,2 +0,0 @@
</span><del>-ALERT: PASS (1/1)!
-blob: URLs are same-origin with the page in which they were created, and should therefore match the 'self' source in CSP directives.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicybloburlsmatchselfhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self.html (196527 => 196528)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self.html 2016-02-13 00:22:53 UTC (rev 196527)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self.html 2016-02-13 00:24:28 UTC (rev 196528)
</span><span class="lines">@@ -1,30 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
- <head>
- <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' 'self'">
- <script src="/js-test-resources/testharness.js"></script>
- <script src="/js-test-resources/testharnessreport.js"></script>
- <script>
- var t = async_test("blob: does not match 'self' (see step 2 of http://www.w3.org/TR/CSP2/#match-source-expression)");
-
- t.step(function () {
- var b = new Blob(['assert_unreached();'], { type: 'application/javascript' });
-
- var script = document.createElement('script');
-
- script.addEventListener('load', t.step_func(function () {
- assert_unreached();
- }));
-
- script.addEventListener('error', t.step_func(function () {
- t.done();
- }));
-
- script.src = URL.createObjectURL(b);
- document.head.appendChild(script);
- });
- </script>
- </head>
- <body>
- </body>
-</html>
</del></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (196527 => 196528)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-02-13 00:22:53 UTC (rev 196527)
+++ trunk/Source/WebCore/ChangeLog 2016-02-13 00:24:28 UTC (rev 196528)
</span><span class="lines">@@ -1,5 +1,24 @@
</span><span class="cx"> 2016-02-12 Daniel Bates <dabates@apple.com>
</span><span class="cx">
</span><ins>+ CSP: 'blob:' URLs should not match 'self' in CSP source expression lists.
+ https://bugs.webkit.org/show_bug.cgi?id=153158
+ <rdar://problem/24383264>
+
+ Reviewed by Brent Fulgham.
+
+ A blob URL should not match source 'self' by section Security Considerations for GUID URL schemes
+ of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/CSP2/> (21 July 2015).
+
+ Tests: http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self.html
+ http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob.html
+
+ * page/csp/ContentSecurityPolicySourceList.cpp:
+ (WebCore::ContentSecurityPolicySourceList::matches): Do not make a distinction between URLs that
+ contain a nested URL (e.g. blob://http://www.example.com/...) and URLs that do not contain a nested
+ URL. The URL of the requested resource should be matched against the source list source expressions.
+
+2016-02-12 Daniel Bates <dabates@apple.com>
+
</ins><span class="cx"> CSP: Implement child-src directive
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=153562
</span><span class="cx"> <rdar://problem/24610087>
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicySourceListcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp (196527 => 196528)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp 2016-02-13 00:22:53 UTC (rev 196527)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp 2016-02-13 00:24:28 UTC (rev 196528)
</span><span class="lines">@@ -97,16 +97,17 @@
</span><span class="cx">
</span><span class="cx"> bool ContentSecurityPolicySourceList::matches(const URL& url)
</span><span class="cx"> {
</span><del>- if (m_allowStar)
</del><ins>+ if (m_allowStar) {
+ // FIXME: Should only match for URLs whose scheme is not blob, data or filesystem.
+ // See <https://bugs.webkit.org/show_bug.cgi?id=154122> for more details.
</ins><span class="cx"> return true;
</span><ins>+ }
</ins><span class="cx">
</span><del>- URL effectiveURL = SecurityOrigin::shouldUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url;
-
- if (m_allowSelf && m_policy.urlMatchesSelf(effectiveURL))
</del><ins>+ if (m_allowSelf && m_policy.urlMatchesSelf(url))
</ins><span class="cx"> return true;
</span><span class="cx">
</span><span class="cx"> for (auto& entry : m_list) {
</span><del>- if (entry.matches(effectiveURL))
</del><ins>+ if (entry.matches(url))
</ins><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>