(Re-)introduce AncestorThrottle to handle 'X-Frame-Options'.

third_party/WebKit/Source/core/loader/DocumentLoader.cpp

Index: third_party/WebKit/Source/core/loader/DocumentLoader.cpp
diff --git a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
index 6deae0530fb5b2f39bc9336180763da458615e88..b8f8eacc3b06e9d9e85d1e04fe248aa12afe25d9 100644
--- a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
@@ -109,7 +109,7 @@ DocumentLoader::DocumentLoader(LocalFrame* frame,
       m_documentLoadTiming(*this),
       m_timeOfLastDataReceived(0.0),
       m_applicationCacheHost(ApplicationCacheHost::create(this)),
-      m_wasBlockedAfterXFrameOptionsOrCSP(false),
+      m_wasBlockedAfterCSP(false),
       m_state(NotStarted),
       m_inDataReceived(false),
       m_dataBuffer(SharedBuffer::create()) {}
@@ -274,6 +274,13 @@ void DocumentLoader::notifyFinished(Resource* resource) {
   if (m_applicationCacheHost)
     m_applicationCacheHost->failedLoadingMainResource();
   m_state = MainResourceDone;
+
+  if (m_mainResource->resourceError().wasBlockedByResponse()) {
+    InspectorInstrumentation::canceledAfterReceivedResourceResponse(
+        m_frame, this, mainResourceIdentifier(), resource->response(),
+        m_mainResource.get());
+  }
+
   frameLoader()->loadFailed(this, m_mainResource->resourceError());
   clearMainResourceHandle();
 }
@@ -378,12 +385,12 @@ bool DocumentLoader::shouldContinueForResponse() const {
   return true;
 }
 
-void DocumentLoader::cancelLoadAfterXFrameOptionsOrCSPDenied(
+void DocumentLoader::cancelLoadAfterCSPDenied(
     const ResourceResponse& response) {
-  InspectorInstrumentation::continueAfterXFrameOptionsDenied(
+  InspectorInstrumentation::canceledAfterReceivedResourceResponse(
       m_frame, this, mainResourceIdentifier(), response, m_mainResource.get());
 
-  setWasBlockedAfterXFrameOptionsOrCSP();
+  setWasBlockedAfterCSP();
 
   // Pretend that this was an empty HTTP 200 response.  Don't reuse the original
   // URL for the empty page (https://crbug.com/622385).
@@ -424,34 +431,10 @@ void DocumentLoader::responseReceived(
   m_contentSecurityPolicy->didReceiveHeaders(
       ContentSecurityPolicyResponseHeaders(response));
   if (!m_contentSecurityPolicy->allowAncestors(m_frame, response.url())) {
-    cancelLoadAfterXFrameOptionsOrCSPDenied(response);
+    cancelLoadAfterCSPDenied(response);
     return;
   }
 
-  // 'frame-ancestors' obviates 'x-frame-options':
-  // https://w3c.github.io/webappsec/specs/content-security-policy/#frame-ancestors-and-frame-options
-  if (!m_contentSecurityPolicy->isFrameAncestorsEnforced()) {
-    HTTPHeaderMap::const_iterator it =
-        response.httpHeaderFields().find(HTTPNames::X_Frame_Options);
-    if (it != response.httpHeaderFields().end()) {
-      String content = it->value;
-      if (frameLoader()->shouldInterruptLoadForXFrameOptions(
-              content, response.url(), mainResourceIdentifier())) {
-        String message = "Refused to display '" +
-                         response.url().elidedString() +
-                         "' in a frame because it set 'X-Frame-Options' to '" +
-                         content + "'.";
-        ConsoleMessage* consoleMessage = ConsoleMessage::createForRequest(
-            SecurityMessageSource, ErrorMessageLevel, message, response.url(),
-            mainResourceIdentifier());
-        frame()->document()->addConsoleMessage(consoleMessage);
-
-        cancelLoadAfterXFrameOptionsOrCSPDenied(response);
-        return;
-      }
-    }
-  }
-
   if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() &&
       !frameLoader()->requiredCSP().isEmpty()) {
     SecurityOrigin* parentSecurityOrigin =
@@ -470,7 +453,7 @@ void DocumentLoader::responseReceived(
           SecurityMessageSource, ErrorMessageLevel, message, response.url(),
           mainResourceIdentifier());
       frame()->document()->addConsoleMessage(consoleMessage);
-      cancelLoadAfterXFrameOptionsOrCSPDenied(response);
+      cancelLoadAfterCSPDenied(response);
       return;
     }
   }