1 files changed, 10 insertions, 2 deletions

diff --git a/dom/html/HTMLSharedElement.cpp b/dom/html/HTMLSharedElement.cpp
index 85849f9f79..0dd151f473 100644
--- a/dom/html/HTMLSharedElement.cpp
+++ b/dom/html/HTMLSharedElement.cpp
@@ -85,15 +85,22 @@ static void SetBaseURIUsingFirstBaseWithHref(Document* aDocument,
           getter_AddRefs(newBaseURI), href, aDocument,
           aDocument->GetFallbackBaseURI());
 
+      // Vaguely based on
+      // <https://html.spec.whatwg.org/multipage/semantics.html#set-the-frozen-base-url>
+
+      if (newBaseURI && (newBaseURI->SchemeIs("data") ||
+                         newBaseURI->SchemeIs("javascript"))) {
+        newBaseURI = nullptr;
+      }
+
       // Check if CSP allows this base-uri
-      nsresult rv = NS_OK;
       nsCOMPtr<nsIContentSecurityPolicy> csp = aDocument->GetCsp();
       if (csp && newBaseURI) {
         // base-uri is only enforced if explicitly defined in the
         // policy - do *not* consult default-src, see:
         // http://www.w3.org/TR/CSP2/#directive-default-src
         bool cspPermitsBaseURI = true;
-        rv = csp->Permits(
+        nsresult rv = csp->Permits(
             child->AsElement(), nullptr /* nsICSPEventListener */, newBaseURI,
             nsIContentSecurityPolicy::BASE_URI_DIRECTIVE, true /* aSpecific */,
             true /* aSendViolationReports */, &cspPermitsBaseURI);
@@ -101,6 +108,7 @@ static void SetBaseURIUsingFirstBaseWithHref(Document* aDocument,
           newBaseURI = nullptr;
         }
       }
+
       aDocument->SetBaseURI(newBaseURI);
       aDocument->SetChromeXHRDocBaseURI(nullptr);
       return;