We should merge <https://src.chromium.org/viewvc/blink?view=rev&revision=164952>. CSP: Check <param> element values against the document's CSP before loading. We ought to take account of the 'param' element parsing behavior that happens in 'HTMLObjectElement'. This patch moves the pluginIsLoadable check to make that happen. To avoid 'setTimeout' in the test, and to align with the spec[1], this patch also starts dispatching an 'error' event on load failure for 'object' elements. [1]: #4.6 ("If the load failed...") of http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#the-object-element
<rdar://problem/24383209>
Created attachment 273059 [details] Patch and Layout Tests
Comment on attachment 273059 [details] Patch and Layout Tests View in context: https://bugs.webkit.org/attachment.cgi?id=273059&action=review Very nice! r=me. > LayoutTests/TestExpectations:-851 > -webkit.org/b/153153 http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html Hooray!
Committed r197697: <http://trac.webkit.org/changeset/197697>