Replicate Content-Security-Policy into remote frame proxies.

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h

Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
index f9e2466d95675d1a93b71e7a8f64bfc3863f3baa..4d62e662e67818ee738ec89a58c76778f424e1a6 100644
--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
@@ -55,6 +55,7 @@ class ConsoleMessage;
 class CSPDirectiveList;
 class CSPSource;
 class Document;
+class FrameLoaderClient;
 class KURL;
 class ResourceRequest;
 class SecurityOrigin;
@@ -142,11 +143,14 @@ public:
     DECLARE_TRACE();
 
     void bindToExecutionContext(ExecutionContext*);
+    void setupSelf(const SecurityOrigin&);
     void copyStateFrom(const ContentSecurityPolicy*);
     void copyPluginTypesFrom(const ContentSecurityPolicy*);
 
     void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&);
     void didReceiveHeader(const String&, ContentSecurityPolicyHeaderType, ContentSecurityPolicyHeaderSource);
+    void replicateHeader(const String&, ContentSecurityPolicyHeaderType, ContentSecurityPolicyHeaderSource);
+    void reportAccumulatedHeaders(FrameLoaderClient*) const;
 
     PassOwnPtr<Vector<CSPHeaderAndType>> headers() const;
 
@@ -271,11 +275,16 @@ private:
 
     void applyPolicySideEffectsToExecutionContext();
 
-    SecurityOrigin* getSecurityOrigin() const;
     KURL completeURL(const String&) const;
 
     void logToConsole(const String& message, MessageLevel = ErrorMessageLevel);
-    void addPolicyFromHeaderValue(const String&, ContentSecurityPolicyHeaderType, ContentSecurityPolicyHeaderSource);
+
+    FrameLoaderClient* frameLoaderClient() const;
+    enum FrameLoaderClientNotificationAction {

[dcheng, 2016/05/17 05:57:15]

This enum is quite a mouthful. Since the replication logic looks quite simple,
how about:

- The original logic for addPolicyFromheaderValue() goes into replicateHeader()
(or whatever you'd like to call it)
- addPolicyFromHeaderValue() just delegates to replicateHeader(), and always
calls FrameLoaderClient::didAddContentSecurityPolicy(...)

[Łukasz Anforowicz, 2016/05/17 17:01:23]

Done.

After the changes the check "if this is a report-only header inside a <meta>
element, bail out" happens *after* notifying FrameLoaderClient, but this should
be okay (the check will happen again when replicating so the incorrect header
will still get filtered out + the extra header in FrameReplicationState should
be rare).  I guess I could report success-vs-failure from
addPolicyFromHeaderValue and only notify FrameLoaderClient upon success (but
then this would require introducing a success-or-failure enum?  couldn't find a
generic one in Blink).

+        NotifyFrameLoaderClient,
+        DontNotifyFrameLoaderClient,
+    };
+    void addPolicyFromHeaderValue(const String&, ContentSecurityPolicyHeaderType, ContentSecurityPolicyHeaderSource, FrameLoaderClientNotificationAction = NotifyFrameLoaderClient);
 
     bool shouldSendViolationReport(const String&) const;
     void didSendViolationReport(const String&);