Move 'frame-src' CSP checks into FrameFetchContext.

third_party/WebKit/Source/core/loader/DocumentLoader.cpp

Index: third_party/WebKit/Source/core/loader/DocumentLoader.cpp
diff --git a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
index 2a76e14272ea498a29abb8fc6931284c241d6a05..2d914d1efd502d08f4a124c9f792bf0162ae8ff7 100644
--- a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
@@ -308,7 +308,7 @@ void DocumentLoader::redirectReceived(Resource* resource, ResourceRequest& reque
         m_fetcher->stopFetching();
         return;
     }
-    if (!frameLoader()->shouldContinueForNavigationPolicy(m_request, SubstituteData(), this, CheckContentSecurityPolicy, m_navigationType, NavigationPolicyCurrentTab, replacesCurrentHistoryItem(), isClientRedirect())) {
+    if (!frameLoader()->shouldContinueForNavigationPolicy(m_request, SubstituteData(), this, m_navigationType, NavigationPolicyCurrentTab, replacesCurrentHistoryItem(), isClientRedirect())) {
         m_fetcher->stopFetching();
         return;
     }
@@ -608,7 +608,14 @@ bool DocumentLoader::maybeLoadEmpty()
     return true;
 }
 
-void DocumentLoader::startLoadingMainResource()
+void DocumentLoader::loadUnique()
+{
+    m_request = ResourceRequest(SecurityOrigin::urlWithUniqueSecurityOrigin());
+    m_response = ResourceResponse(m_request.url(), "text/html", 0, nullAtom, String());
+    finishedLoading(monotonicallyIncreasingTime());
+}
+
+void DocumentLoader::startLoadingMainResource(ContentSecurityPolicyDisposition cspDisposition)
 {
     timing().markNavigationStart();
     ASSERT(!m_mainResource);
@@ -625,10 +632,15 @@ void DocumentLoader::startLoadingMainResource()
     DEFINE_STATIC_LOCAL(ResourceLoaderOptions, mainResourceLoadOptions,
         (DoNotBufferData, AllowStoredCredentials, ClientRequestedCredentials, CheckContentSecurityPolicy, DocumentContext));
     FetchRequest fetchRequest(m_request, FetchInitiatorTypeNames::document, mainResourceLoadOptions);
+    fetchRequest.setContentSecurityCheck(cspDisposition);
+
     m_mainResource = RawResource::fetchMainResource(fetchRequest, fetcher(), m_substituteData);
     if (!m_mainResource) {
-        m_request = ResourceRequest(blankURL());
-        maybeLoadEmpty();
+        // If we block a main resource request, ensure that the resulting frame's
+        // origin is unique, and that the redirect list is up-to-date with the
+        // resource we actually commit:
+        loadUnique();
+        appendRedirect(SecurityOrigin::urlWithUniqueSecurityOrigin());

[Mike West, 2016/06/06 08:40:10]

Charlie: It seems reasonable to me to treat blocking as a redirect of its own (I
can imagine that clients of the redirects array might actually want the URL that
we would have loaded if it hadn't been blocked). That approach also lends itself
to the current implementation (as we append a redirect in FrameLoader before we
have any idea whether or not we'll end up blocking the request.

Does this seem like a reasonable approach, or should we refactor the append
entirely?

[Charlie Reis, 2016/06/06 20:43:07]

Hmm, that feels weird/unfortunate to me, but maybe it works.  I thought the goal
was to act like the renderer never got to the blocked URL, but here we're making
it look like it went through the blocked URL to end up at about:blank.

That said, I don't know if anything looks at the intermediate hops of the
redirects array and infers that the renderer had access to them, and I don't
know this area well enough to recommend a better plan.  It certainly seems
better to do this than leave the blocked URL as the last item of the redirects
array, which we do assume to be equal to the committed URL in some places.  I'll
defer unless Nate has a better idea.

         return;
     }
     // A bunch of headers are set when the underlying ResourceLoader is created, and m_request needs to include those.