Experimental Feature: Allow-CSP-From header

third_party/WebKit/Source/core/loader/DocumentLoader.cpp

 /*
  * Copyright (C) 2006, 2007, 2008 Apple Inc. All rights reserved.
  * Copyright (C) 2011 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
@@ skipping 430 matching lines @@
             SecurityMessageSource, ErrorMessageLevel, message, response.url(),
             mainResourceIdentifier());
         frame()->document()->addConsoleMessage(consoleMessage);
 
         cancelLoadAfterXFrameOptionsOrCSPDenied(response);
         return;
       }
     }
   }
 
+  if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() &&
+      !frameLoader()->requiredCSP().isEmpty()) {
+    // Check if the response allows blanket enforcment of policy from request
+    if (ContentSecurityPolicy::checkAllowBlanketEnforcement(
+            response,
+            toLocalFrame(frame()->tree().parent())->document()->url())) {

[amalika, 2016/10/11 19:06:46]

This function is after x-frames checks where it seems like non local frames are
blocked? 
The tests are passing for cross origin iframes, but not totally sure about
remote frames and what's the correct way to get url() of the parent.

+      m_contentSecurityPolicy->addPolicyFromHeaderValue(
+          frameLoader()->requiredCSP(), ContentSecurityPolicyHeaderTypeEnforce,
+          ContentSecurityPolicyHeaderSourceHTTP);
+    } else {
+      // TODO(amalika): Under this flag up to this pointS, we only support

[amalika, 2016/10/11 19:06:46]

nit: will fix the wording

+      // Allow-CSP-From header.
+      // Change this after adding Subsumption Algorithm
+      cancelLoadAfterXFrameOptionsOrCSPDenied(response);
+      return;
+    }
+  }
+
   DCHECK(!m_frame->page()->defersLoading());
 
   m_response = response;
 
   if (isArchiveMIMEType(m_response.mimeType()) &&
       m_mainResource->getDataBufferingPolicy() != BufferData)
     m_mainResource->setDataBufferingPolicy(BufferData);
 
   if (!shouldContinueForResponse()) {
     InspectorInstrumentation::continueWithPolicyIgnore(
@@ skipping 300 matching lines @@
                              m_writer ? m_writer->encoding() : emptyAtom, true,
                              ForceSynchronousParsing);
   if (!source.isNull())
     m_writer->appendReplacingData(source);
   endWriting(m_writer.get());
 }
 
 DEFINE_WEAK_IDENTIFIER_MAP(DocumentLoader);
 
 }  // namespace blink