We should explicitly skip enforcing the Content Security Policy (CSP) of the page for media loads that are initiated by an element in a user-agent shadow tree because such elements are considered an implementation detail and should not be exposed to web developers. Currently we implicitly skip enforcement of CSP because media resources are treated as raw resources and we do not apply CSP to raw resources.
<rdar://problem/25169452>
See https://bugs.webkit.org/show_bug.cgi?id=155509
Split off skip enforcing the Content Security Policy (CSP) for media requests to blob: and other external schemes to bug #173498.
Created attachment 313151 [details] Patch
Comment on attachment 313151 [details] Patch r=me
Comment on attachment 313151 [details] Patch Clearing flags on attachment: 313151 Committed r218609: <http://trac.webkit.org/changeset/218609>
All reviewed patches have been landed. Closing bug.