Adding Embedding-CSP HTTP header

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/get-embedding-csp-header-and-respond.php

Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/get-embedding-csp-header-and-respond.php
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/get-embedding-csp-header-and-respond.php b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/get-embedding-csp-header-and-respond.php
new file mode 100644
index 0000000000000000000000000000000000000000..f35f643e116d309dee101ce6ae5e4bf6aa5689a2
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/get-embedding-csp-header-and-respond.php
@@ -0,0 +1,12 @@
+<?php
+    $embedding_csp_header = isset($_SERVER['HTTP_EMBEDDING_CSP']) ? $_SERVER['HTTP_EMBEDDING_CSP'] : 'null';
+    $value = $_GET['value'];
+    header("Embedding-CSP: " + $value);

[amalika, 2016/09/29 13:01:14]

From my understanding header() function sets a response header?
I thought we could use this file later to reflect Content-Security-Policy
header. 
So it shouldn't say "embedding-csp: " + $value

[Mike West, 2016/09/29 13:33:13]

Sounds good (though it would need to say `Content-Security-Policy: ${value}`,
right?)!

That said, you're not actually exercising this functionality. Perhaps
introducing this file would make more sense when you actually have a blocking
implementation in place?

+?>
+
+<script>
+  var response = {};
+  response['src'] = '../resources/get-embedding-csp-header-and-respond.php';
+  response['embedding_csp'] = "<?php echo $embedding_csp_header; ?>";
+  window.top.postMessage(response, '*');
+</script>