Replicate Content-Security-Policy into remote frame proxies.

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h

 /*
  * Copyright (C) 2011 Google, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 124 matching lines @@
     };
 
     static ContentSecurityPolicy* create()
     {
         return new ContentSecurityPolicy();
     }
     ~ContentSecurityPolicy();
     DECLARE_TRACE();
 
     void bindToExecutionContext(ExecutionContext*);
+    void setupSelf(const SecurityOrigin&);
     void copyStateFrom(const ContentSecurityPolicy*);
     void copyPluginTypesFrom(const ContentSecurityPolicy*);
 
     void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&);
     void didReceiveHeader(const String&, ContentSecurityPolicyHeaderType, ContentSecurityPolicyHeaderSource);
+    void replicateHeader(const String&, ContentSecurityPolicyHeaderType, ContentSecurityPolicyHeaderSource);
 
     PassOwnPtr<Vector<CSPHeaderAndType>> headers() const;
 
     bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
     bool allowInlineEventHandler(const String& source, const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
     bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& scriptContent, ReportingStatus = SendReport) const;
     bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& styleContent, ReportingStatus = SendReport) const;
     // When the reporting status is |SendReport|, the |ExceptionStatus|
     // should indicate whether the caller will throw a JavaScript
     // exception in the event of a violation. When the caller will throw
@@ skipping 104 matching lines @@
 
     static bool isDirectiveName(const String&);
 
     Document* document() const;
 
 private:
     ContentSecurityPolicy();
 
     void applyPolicySideEffectsToExecutionContext();
 
-    SecurityOrigin* getSecurityOrigin() const;
     KURL completeURL(const String&) const;
 
     void logToConsole(const String& message, MessageLevel = ErrorMessageLevel);
-    void addPolicyFromHeaderValue(const String&, ContentSecurityPolicyHeaderType, ContentSecurityPolicyHeaderSource);
+
+    enum FrameLoaderClientNotificationStatus {
+        NotifyFrameLoaderClient,
+        DontNotifyFrameLoaderClient,
+    };
+    void addPolicyFromHeaderValue(const String&, ContentSecurityPolicyHeaderType, ContentSecurityPolicyHeaderSource, FrameLoaderClientNotificationStatus = NotifyFrameLoaderClient);

[alexmos, 2016/05/12 22:37:25]

Note that this enum might be useful more generally (e.g., see
FocusController::focusDocumentView).  Fine not to do this here though.

(speaking of which, NotifyEmbedder might be a more succinct name to use :) )

[Łukasz Anforowicz, 2016/05/13 17:29:15]

Acknowledged.

 
     bool shouldSendViolationReport(const String&) const;
     void didSendViolationReport(const String&);
 
     Member<ExecutionContext> m_executionContext;
     bool m_overrideInlineStyleAllowed;
     CSPDirectiveListVector m_policies;
     ConsoleMessageVector m_consoleMessages;
 
     HashSet<unsigned, AlreadyHashed> m_violationReportsSent;
@@ skipping 12 matching lines @@
     String m_disableEvalErrorMessage;
     SecurityContext::InsecureRequestsPolicy m_insecureRequestsPolicy;
 
     Member<CSPSource> m_selfSource;
     String m_selfProtocol;
 };
 
 } // namespace blink
 
 #endif