Replicate Content-Security-Policy into remote frame proxies.

third_party/WebKit/Source/core/dom/RemoteSecurityContext.cpp

Index: third_party/WebKit/Source/core/dom/RemoteSecurityContext.cpp
diff --git a/third_party/WebKit/Source/core/dom/RemoteSecurityContext.cpp b/third_party/WebKit/Source/core/dom/RemoteSecurityContext.cpp
index cd753ba59bfd33737090b6fd8a951f39dd70633c..dfc8610b5d16338674713bbee2e62aa45096c0f2 100644
--- a/third_party/WebKit/Source/core/dom/RemoteSecurityContext.cpp
+++ b/third_party/WebKit/Source/core/dom/RemoteSecurityContext.cpp
@@ -6,6 +6,7 @@
 
 #include "core/frame/csp/ContentSecurityPolicy.h"
 #include "platform/weborigin/SecurityOrigin.h"
+#include "wtf/Assertions.h"
 
 namespace blink {
 
@@ -16,9 +17,7 @@ RemoteSecurityContext::RemoteSecurityContext()
     // we set it using replicated origin data from the browser process.
     DCHECK(!getSecurityOrigin());
 
-    // CSP will not be replicated for RemoteSecurityContexts, as it is moving
-    // to the browser process.  For now, initialize CSP to a default
-    // locked-down policy.
+    // Start with a clean slate.
     setContentSecurityPolicy(ContentSecurityPolicy::create());
 
     // FIXME: Document::initSecurityContext has a few other things we may
@@ -38,8 +37,16 @@ DEFINE_TRACE(RemoteSecurityContext)
 
 void RemoteSecurityContext::setReplicatedOrigin(PassRefPtr<SecurityOrigin> origin)
 {
+    DCHECK(origin);
     setSecurityOrigin(origin);
+    contentSecurityPolicy()->setupSelf(*getSecurityOrigin());
 }
 
+void RemoteSecurityContext::resetReplicatedContentSecurityPolicy()
+{
+    DCHECK(getSecurityOrigin());
+    setContentSecurityPolicy(ContentSecurityPolicy::create());
+    contentSecurityPolicy()->setupSelf(*getSecurityOrigin());
+}
 
 } // namespace blink