Adding Embedding-CSP HTTP header

third_party/WebKit/Source/core/loader/FrameLoader.cpp

Index: third_party/WebKit/Source/core/loader/FrameLoader.cpp
diff --git a/third_party/WebKit/Source/core/loader/FrameLoader.cpp b/third_party/WebKit/Source/core/loader/FrameLoader.cpp
index 08f9cceda9ae890eb34683c361f8f5bbd7d8e0dc..754f6ca66a97205dc5d26234cd2dc266c8fb2cfe 100644
--- a/third_party/WebKit/Source/core/loader/FrameLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/FrameLoader.cpp
@@ -174,6 +174,7 @@ ResourceRequest FrameLoader::resourceRequestForReload(FrameLoadType frameLoadTyp
 
 FrameLoader::FrameLoader(LocalFrame* frame)
     : m_frame(frame)
+    , m_requiredCSP(nullAtom)

[Mike West, 2016/10/06 08:00:51]

Nit: I think this is the default, isn't it? You shouldn't need to initialize
this.

     , m_progressTracker(ProgressTracker::create(frame))
     , m_loadType(FrameLoadTypeStandard)
     , m_inStopAllLoaders(false)
@@ -1440,7 +1441,10 @@ void FrameLoader::startLoad(FrameLoadRequest& frameLoadRequest, FrameLoadType ty
     frameLoadRequest.resourceRequest().setRequestContext(determineRequestContextFromNavigationType(navigationType));
     frameLoadRequest.resourceRequest().setFrameType(m_frame->isMainFrame() ? WebURLRequest::FrameTypeTopLevel : WebURLRequest::FrameTypeNested);
     ResourceRequest& request = frameLoadRequest.resourceRequest();
-    upgradeInsecureRequest(request, nullptr);
+
+    // Record the latest requiredCSP value that will be used when sending this request.
+    recordLatestRequiredCSP();
+    addOutgoingSecurityHeadersAndUpgradeRequest(request, nullptr);
     if (!shouldContinueForNavigationPolicy(request, frameLoadRequest.substituteData(), nullptr, frameLoadRequest.shouldCheckMainWorldContentSecurityPolicy(), navigationType, navigationPolicy, type == FrameLoadTypeReplaceCurrentItem, frameLoadRequest.clientRedirect() == ClientRedirectPolicy::ClientRedirect, frameLoadRequest.form()))
         return;
 
@@ -1623,8 +1627,11 @@ SecurityContext::InsecureNavigationsSet* FrameLoader::insecureNavigationsToUpgra
     return toLocalFrame(parentFrame)->document()->insecureNavigationsToUpgrade();
 }
 
-void FrameLoader::upgradeInsecureRequest(ResourceRequest& resourceRequest, Document* document) const
+void FrameLoader::addOutgoingSecurityHeadersAndUpgradeRequest(ResourceRequest& resourceRequest, Document* document) const
 {
+    if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() && !requiredCSP().isEmpty())
+        resourceRequest.setHTTPHeaderField(HTTPNames::Embedding_CSP, requiredCSP());

[Mike West, 2016/10/06 08:00:51]

Can you add a DCHECK here that the 'requiredCSP()' value is sane?

[amalika, 2016/10/06 18:54:57]

Not sure if that's what you wanted?

+
     // Tack an 'Upgrade-Insecure-Requests' header to outgoing navigational requests, as described in
     // https://w3c.github.io/webappsec/specs/upgrade/#feature-detect
     if (resourceRequest.frameType() != WebURLRequest::FrameTypeNone) {
@@ -1636,6 +1643,11 @@ void FrameLoader::upgradeInsecureRequest(ResourceRequest& resourceRequest, Docum
         resourceRequest.addHTTPHeaderField("Upgrade-Insecure-Requests", "1");
     }
 
+    upgradeInsecureRequest(resourceRequest, document);
+}
+
+void FrameLoader::upgradeInsecureRequest(ResourceRequest& resourceRequest, Document* document) const
+{
     KURL url = resourceRequest.url();
 
     // If we don't yet have an |m_document| (because we're loading an iframe, for instance), check the FrameLoader's policy.
@@ -1661,6 +1673,10 @@ void FrameLoader::upgradeInsecureRequest(ResourceRequest& resourceRequest, Docum
     }
 }
 
+void FrameLoader::recordLatestRequiredCSP()
+{
+    m_requiredCSP = m_frame->owner() ? m_frame->owner()->csp() : nullAtom;
+}
 
 std::unique_ptr<TracedValue> FrameLoader::toTracedValue() const
 {