Replicate Content-Security-Policy into remote frame proxies.

content/test/data/frame-src-self-and-b.html

Index: content/test/data/frame-src-self-and-b.html
diff --git a/content/test/data/frame-src-self-and-b.html b/content/test/data/frame-src-self-and-b.html
new file mode 100644
index 0000000000000000000000000000000000000000..5fcd896e281bda2318a7c63e9f2e8616659916a0
--- /dev/null
+++ b/content/test/data/frame-src-self-and-b.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>This page should only allow subframes from the same origin or b.com</title>
+</head>
+<body>
+This page should only allow subframes from the same origin or from b.com,
+because its CSP headers specify frame-src 'self' and 'b.com'.
+<iframe src="/cross-site/b.com/title2.html"></iframe>
+<iframe srcdoc="
+  &lt;html&gt;

[alexmos, 2016/05/16 16:17:03]

Looking at some other test files with srcdoc iframes, some of them get away
without the escaping - is it really required here?

[Łukasz Anforowicz, 2016/05/16 19:44:45]

Oh, indeed - I assumed that I need to escape, but HTML5 spec seems to say that I
only need to escape the quote character.  OTOH it also says that "'text' must
not contain control characters other than space characters" and I remember
reading elsewhere that newlines are okay.  Some people think that indeed only
quote needs to be escaped (http://stackoverflow.com/a/8047332).

Done.

+    <head>
+      <title>subtitle1</title>
+    </head>
+    <body>
+      <iframe src="/cross-site/b.com/title2.html"></iframe>
+    </body>
+  &lt;/html&gt;"></iframe>
+</body>
+</html>
+