Currently the Content Security Policy base-uri directive is guarded by ENABLE(CSP_NEXT) and a runtime flag, both are disabled by default. This directive has been part of the Content Security Policy spec. since version 1.1 and other browsers, Google Chrome, have enabled it by default for some time. We should enable it by default.
<rdar://problem/24762032>
Created attachment 271893 [details] Patch and Layout Tests
Created attachment 272046 [details] Patch and Layout Tests Added base-uri to the list of standard CSP directives and modified LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html to ensure that we emit a warning message when base-uri is used as a source expression.
Comment on attachment 272046 [details] Patch and Layout Tests r=me.
Committed r197007: <http://trac.webkit.org/changeset/197007>