Forward CSP violation reporting from RenderFrameProxy to RenderFrameImpl.

third_party/WebKit/Source/web/WebLocalFrameImpl.cpp

 /*
  * Copyright (C) 2009 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 2142 matching lines @@
 void WebLocalFrameImpl::forceSandboxFlags(WebSandboxFlags flags)
 {
     frame()->loader().forceSandboxFlags(static_cast<SandboxFlags>(flags));
 }
 
 void WebLocalFrameImpl::clearActiveFindMatch()
 {
     ensureTextFinder().clearActiveFindMatch();
 }
 
+void WebLocalFrameImpl::reportContentSecurityPolicyViolation(
+    const WebString& directiveText,
+    const WebString& effectiveDirective,
+    const WebString& consoleMessage,
+    const WebURL& blockedURL,
+    const WebVector<WebString>& reportEndpoints,
+    const WebString& header,
+    WebContentSecurityPolicyViolationType violationType,
+    bool followedRedirect)
+{
+    Vector<String> coreReportEndpoints;
+    coreReportEndpoints.reserveInitialCapacity(reportEndpoints.size());
+    for (const WebString& reportEndpoint : reportEndpoints)
+        coreReportEndpoints.append(reportEndpoint);
+
+    auto redirectStatus = followedRedirect
+        ? ResourceRequest::RedirectStatus::FollowedRedirect
+        : ResourceRequest::RedirectStatus::NoRedirect;
+
+    ContentSecurityPolicy* policy = m_frame->securityContext()->contentSecurityPolicy();
+    policy->logToConsole(ConsoleMessage::create(
+        SecurityMessageSource,
+        ErrorMessageLevel,
+        consoleMessage));
+    policy->reportViolation(
+        directiveText,
+        effectiveDirective,
+        consoleMessage,
+        blockedURL,
+        coreReportEndpoints,
+        header,
+        static_cast<ContentSecurityPolicy::ViolationType>(violationType),
+        nullptr, // contextFrame

[alexmos, 2016/08/09 18:01:20]

Looking at when reportViolation uses |contextFrame|, it seems it's used for
frame-ancestors.  So would we need to plumb this for the browser->renderer path
when the browser process starts enforcing frame-ancestors?

[Łukasz Anforowicz, 2016/08/09 22:23:20]

I am not sure.  I don't think so.  I am not sure how exactly |contextFrame| is
used in ContentSecurityPolicy::reportViolation (e.g. why and how it influences
|url| passed to PingLoader::sendViolationReport).  But... I think that instead
of passing |contextFrame|, we could just invoke
ContentSecurityPolicy::reportViolation associated with the right frame (so that
|this->document()| can always be used instead of having to do |contextFrame ?
contextFrame->document() : this->document()|).

[alexmos, 2016/08/10 20:34:33]

Acknowledged.

+        redirectStatus,
+        0); // contextLine

[alexmos, 2016/08/09 18:01:20]

nit: maybe a comment explaining why we don't have/want the line number? 
(Similar to the one you have in RemoteContentSecurityPolicy.cpp)

[Łukasz Anforowicz, 2016/08/09 22:23:20]

Done.

+}
+
 } // namespace blink