Adding Embedding-CSP HTTP header

third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

Index: third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
diff --git a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
index 84d160747aaf9f322b4bdf23495fb1f1ba5622da..ba330754a6ac8f6dd2b8935bd71fe0ef54ba08d7 100644
--- a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
+++ b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
@@ -699,7 +699,9 @@ SecurityOrigin* FrameFetchContext::getSecurityOrigin() const
 
 void FrameFetchContext::upgradeInsecureRequest(ResourceRequest& resourceRequest)
 {
-    frame()->loader().upgradeInsecureRequest(resourceRequest, m_document);
+    // Record the latest requiredCSP value that will be used when sending this request.
+    frame()->loader().recordLatestRequiredCSP();
+    frame()->loader().addOutgoingSecurityHeaders(resourceRequest, m_document);

[Mike West, 2016/09/30 13:11:49]

This seems strange. I don't know why we call into upgradeInsecureRequest from
here and frameloader. Let me dig into that a moment.

 }
 
 void FrameFetchContext::addClientHintsIfNecessary(FetchRequest& fetchRequest)