Merge branch 'master' of https://github.com/MoonchildProductions/UXP into html_input_datetime_1

1 files changed, 11 insertions, 8 deletions

diff --git a/dom/security/nsCSPParser.h b/dom/security/nsCSPParser.h
index 1bfc56c65..d500a1c18 100644
--- a/dom/security/nsCSPParser.h
+++ b/dom/security/nsCSPParser.h
@@ -243,14 +243,17 @@ class nsCSPParser {
     bool               mStrictDynamic;  // false, if 'strict-dynamic' is not defined
     nsCSPKeywordSrc*   mUnsafeInlineKeywordSrc; // null, otherwise invlidate()
 
-    // cache variables for child-src and frame-src directive handling.
-    // frame-src is deprecated in favor of child-src, however if we
-    // see a frame-src directive, it takes precedence for frames and iframes.
-    // At the end of parsing, if we have a child-src directive, we need to
-    // decide whether it will handle frames, or if there is a frame-src we
-    // should honor instead.
-    nsCSPChildSrcDirective* mChildSrc;
-    nsCSPDirective*         mFrameSrc;
+    // cache variables for child-src, frame-src and worker-src handling;
+    // in CSP 3 child-src is deprecated. For backwards compatibility
+    // child-src needs to restrict:
+    //   (*) frames, in case frame-src is not expicitly specified
+    //   (*) workers, in case worker-src is not expicitly specified
+    // If neither worker-src, nor child-src is present, then script-src
+    // needs to govern workers.
+    nsCSPChildSrcDirective*  mChildSrc;
+    nsCSPDirective*          mFrameSrc;
+    nsCSPDirective*          mWorkerSrc;
+    nsCSPScriptSrcDirective* mScriptSrc;
 
     // cache variable to let nsCSPHostSrc know that it's within
     // the frame-ancestors directive.