Replicate Content-Security-Policy into remote frame proxies.

third_party/WebKit/Source/core/dom/RemoteSecurityContext.cpp

Index: third_party/WebKit/Source/core/dom/RemoteSecurityContext.cpp
diff --git a/third_party/WebKit/Source/core/dom/RemoteSecurityContext.cpp b/third_party/WebKit/Source/core/dom/RemoteSecurityContext.cpp
index cd753ba59bfd33737090b6fd8a951f39dd70633c..be9e8c4c0ff2aa453bd9a07550bf19dca4cb2d99 100644
--- a/third_party/WebKit/Source/core/dom/RemoteSecurityContext.cpp
+++ b/third_party/WebKit/Source/core/dom/RemoteSecurityContext.cpp
@@ -6,6 +6,7 @@
 
 #include "core/frame/csp/ContentSecurityPolicy.h"
 #include "platform/weborigin/SecurityOrigin.h"
+#include "wtf/Assertions.h"
 
 namespace blink {
 
@@ -16,10 +17,8 @@ RemoteSecurityContext::RemoteSecurityContext()
     // we set it using replicated origin data from the browser process.
     DCHECK(!getSecurityOrigin());
 
-    // CSP will not be replicated for RemoteSecurityContexts, as it is moving
-    // to the browser process.  For now, initialize CSP to a default
-    // locked-down policy.
-    setContentSecurityPolicy(ContentSecurityPolicy::create());
+    // Start with a clean slate.
+    resetReplicatedContentSecurityPolicy();
 
     // FIXME: Document::initSecurityContext has a few other things we may
     // eventually want here, such as enforcing a setting to
@@ -38,8 +37,16 @@ DEFINE_TRACE(RemoteSecurityContext)
 
 void RemoteSecurityContext::setReplicatedOrigin(PassRefPtr<SecurityOrigin> origin)
 {
+    ASSERT(origin);
     setSecurityOrigin(origin);
+    contentSecurityPolicy()->setupSelf(*getSecurityOrigin());
 }
 
+void RemoteSecurityContext::resetReplicatedContentSecurityPolicy()
+{
+    setContentSecurityPolicy(ContentSecurityPolicy::create());
+    if (getSecurityOrigin())
+        contentSecurityPolicy()->setupSelf(*getSecurityOrigin());
+}
 
 } // namespace blink