Adding Embedding-CSP HTTP header

third_party/WebKit/Source/core/loader/FrameLoader.cpp

 /*
  * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
  * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmobile.com/)
  * Copyright (C) 2008 Alp Toker <alp@atoker.com>
  * Copyright (C) Research In Motion Limited 2009. All rights reserved.
  * Copyright (C) 2011 Kris Jordan <krisjordan@gmail.com>
  * Copyright (C) 2011 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ skipping 965 matching lines @@
         request.setFrameName("_self");
         targetFrame->navigate(request);
         Page* page = targetFrame->page();
         if (!wasInSamePage && page)
             page->chromeClient().focus();
         return;
     }
 
     setReferrerForFrameRequest(request);
 
+    AtomicString requiredCSP = m_frame->owner() ? m_frame->owner()->csp() : nullAtom;
+    if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() && !requiredCSP.isNull()) {
+        // Record the latest requiredCSP value that was used when sending this request.

[amalika, 2016/09/29 13:01:14]

This seems to be necessary to make sure we correctly check against the CSP
response even if csp attribute has changed.

[Mike West, 2016/09/29 13:33:13]

I agree that we need to bind the required CSP so that it's locked in at
load-time, but I don't think `Window` is the right place to put it. In
particular, we certainly don't need to replicate the value out to remote
anythings, as it's a local cache for this process.

Where are you planning on doing the blocking checks? I'd guess we'd end up doing
those somewhere near
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/loader/Do...
in the short term (and somewhere in `//content` in the long term, similar to
what we're doing for `X-Frame-Options`). We have access to the `FrameLoader`
there, so why not just cache the value here? That's vaguely similar to what we
do for `Upgrade-Insecure-Requests` (but we just reach up to the parent for that
getter, because we don't have the same problem of changing values).

+        m_frame->localDOMWindow()->setRequiredCSP(requiredCSP);
+        request.resourceRequest().setHTTPHeaderField(HTTPNames::Embedding_CSP, requiredCSP);

[Mike West, 2016/09/29 13:33:13]

I think I'd prefer to push this logic out to a separate function. Perhaps we
could combine this and
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/loader/Fr...
from `FrameLoader::upgradeInsecureRequest` into something like
`FrameLoader::addOutgoingSecurityHeaders` (or whatever)?

Note also that you'll need to deduplicate the header in case of redirects (as
you'll hit `load` again). The code in `upgradeInsecureRequest` is a good model.

+    }
+
     FrameLoadType newLoadType = (frameLoadType == FrameLoadTypeStandard) ?
         determineFrameLoadType(request) : frameLoadType;
     NavigationPolicy policy = navigationPolicyForRequest(request);
     if (shouldOpenInNewWindow(targetFrame, request, policy)) {
         if (policy == NavigationPolicyDownload) {
             client()->loadURLExternally(request.resourceRequest(), NavigationPolicyDownload, String(), false);
         } else {
             request.resourceRequest().setFrameType(WebURLRequest::FrameTypeAuxiliary);
             createWindowForRequest(request, *m_frame, policy);
         }
@@ skipping 678 matching lines @@
     tracedValue->setString("documentLoaderURL", m_documentLoader ? m_documentLoader->url() : String());
     return tracedValue;
 }
 
 inline void FrameLoader::takeObjectSnapshot() const
 {
     TRACE_EVENT_OBJECT_SNAPSHOT_WITH_ID("loading", "FrameLoader", this, toTracedValue());
 }
 
 } // namespace blink