CSP, PlzNavigate: make clear what happens with unique origins.

content/common/content_security_policy/csp_source_list.cc

Index: content/common/content_security_policy/csp_source_list.cc
diff --git a/content/common/content_security_policy/csp_source_list.cc b/content/common/content_security_policy/csp_source_list.cc
index be6ba9c4b0697cb59cab814faddcf8bf542c7108..d48b7c77b332d7d13c3d9904aa38364148196af7 100644
--- a/content/common/content_security_policy/csp_source_list.cc
+++ b/content/common/content_security_policy/csp_source_list.cc
@@ -27,7 +27,10 @@ CSPSourceList::CSPSourceList()
 CSPSourceList::CSPSourceList(bool allow_self,
                              bool allow_star,
                              std::vector<CSPSource> sources)
-    : allow_self(allow_self), allow_star(allow_star), sources(sources) {}
+    : allow_self(allow_self), allow_star(allow_star), sources(sources) {
+  // When the '*' source is used, it must be the only one.
+  DCHECK(!allow_star || (!allow_self && sources.empty()));
+}
 
 CSPSourceList::CSPSourceList(const CSPSourceList&) = default;
 CSPSourceList::~CSPSourceList() = default;
@@ -44,14 +47,18 @@ bool CSPSourceList::Allow(const CSPSourceList& source_list,
   // list.
   if (source_list.allow_star) {
     if (url.SchemeIsHTTPOrHTTPS() || url.SchemeIsSuborigin() ||
-        url.SchemeIsWSOrWSS() || url.SchemeIs("ftp") ||
-        context->ProtocolIsSelf(url))
+        url.SchemeIsWSOrWSS() || url.SchemeIs("ftp")) {
+      return true;
+    }
+    if (context->self_source() && url.SchemeIs(context->self_source()->scheme))
       return true;
-
-    return AllowFromSources(url, source_list.sources, context, is_redirect);
   }
 
-  if (source_list.allow_self && context->AllowSelf(url)) return true;
+  if (source_list.allow_self && context->self_source() &&
+      CSPSource::Allow(context->self_source().value(), url, context,
+                       is_redirect)) {
+    return true;
+  }
 
   return AllowFromSources(url, source_list.sources, context, is_redirect);
 }