Adding Embedding-CSP HTTP header

third_party/WebKit/Source/core/loader/FrameLoader.cpp

Index: third_party/WebKit/Source/core/loader/FrameLoader.cpp
diff --git a/third_party/WebKit/Source/core/loader/FrameLoader.cpp b/third_party/WebKit/Source/core/loader/FrameLoader.cpp
index 6dc607167d33f28a94ee4f7f5078d86f0bf1a722..3b2c7fe6cb8aac3eba91e9886dd483ee4383cd8a 100644
--- a/third_party/WebKit/Source/core/loader/FrameLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/FrameLoader.cpp
@@ -186,6 +186,7 @@ ResourceRequest FrameLoader::resourceRequestForReload(
 
 FrameLoader::FrameLoader(LocalFrame* frame)
     : m_frame(frame),
+      m_requiredCSP(nullAtom),
       m_progressTracker(ProgressTracker::create(frame)),
       m_loadType(FrameLoadTypeStandard),
       m_inStopAllLoaders(false),
@@ -1606,7 +1607,10 @@ void FrameLoader::startLoad(FrameLoadRequest& frameLoadRequest,
       m_frame->isMainFrame() ? WebURLRequest::FrameTypeTopLevel
                              : WebURLRequest::FrameTypeNested);
   ResourceRequest& request = frameLoadRequest.resourceRequest();
-  upgradeInsecureRequest(request, nullptr);
+
+  // Record the latest requiredCSP value that will be used when sending this request.
+  recordLatestRequiredCSP();
+  modifyRequestForCSP(request, nullptr);
   if (!shouldContinueForNavigationPolicy(
           request, frameLoadRequest.substituteData(), nullptr,
           frameLoadRequest.shouldCheckMainWorldContentSecurityPolicy(),
@@ -1818,10 +1822,13 @@ FrameLoader::insecureNavigationsToUpgrade() const {
   return toLocalFrame(parentFrame)->document()->insecureNavigationsToUpgrade();
 }
 
-void FrameLoader::upgradeInsecureRequest(ResourceRequest& resourceRequest,
-                                         Document* document) const {
-  // Tack an 'Upgrade-Insecure-Requests' header to outgoing navigational
-  // requests, as described in
+void FrameLoader::modifyRequestForCSP(ResourceRequest& resourceRequest,
+                                      Document* document) const {
+  if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() &&
+      !requiredCSP().isEmpty())

[Mike West, 2016/10/06 13:30:21]

Nit: {}.

+    resourceRequest.setHTTPHeaderField(HTTPNames::Embedding_CSP, requiredCSP());
+
+  // Tack an 'Upgrade-Insecure-Requests' header to outgoing navigational requests, as described in
   // https://w3c.github.io/webappsec/specs/upgrade/#feature-detect
   if (resourceRequest.frameType() != WebURLRequest::FrameTypeNone) {
     // Early return if the request has already been upgraded.
@@ -1832,6 +1839,11 @@ void FrameLoader::upgradeInsecureRequest(ResourceRequest& resourceRequest,
     resourceRequest.addHTTPHeaderField("Upgrade-Insecure-Requests", "1");
   }
 
+  upgradeInsecureRequest(resourceRequest, document);
+}
+
+void FrameLoader::upgradeInsecureRequest(ResourceRequest& resourceRequest,
+                                         Document* document) const {
   KURL url = resourceRequest.url();
 
   // If we don't yet have an |m_document| (because we're loading an iframe, for
@@ -1864,6 +1876,10 @@ void FrameLoader::upgradeInsecureRequest(ResourceRequest& resourceRequest,
   }
 }
 
+void FrameLoader::recordLatestRequiredCSP() {
+  m_requiredCSP = m_frame->owner() ? m_frame->owner()->csp() : nullAtom;
+}
+
 std::unique_ptr<TracedValue> FrameLoader::toTracedValue() const {
   std::unique_ptr<TracedValue> tracedValue = TracedValue::create();
   tracedValue->beginDictionary("frame");