Experimental Feature: Allow-CSP-From header

third_party/WebKit/Source/core/loader/DocumentLoader.cpp

 /*
  * Copyright (C) 2006, 2007, 2008 Apple Inc. All rights reserved.
  * Copyright (C) 2011 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
@@ skipping 430 matching lines @@
             SecurityMessageSource, ErrorMessageLevel, message, response.url(),
             mainResourceIdentifier());
         frame()->document()->addConsoleMessage(consoleMessage);
 
         cancelLoadAfterXFrameOptionsOrCSPDenied(response);
         return;
       }
     }
   }
 
+  if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() &&
+      !frameLoader()->requiredCSP().isEmpty()) {
+    // Check if the response allows blanket enforcment of policy from request
+    if (ContentSecurityPolicy::checkAllowBlanketEnforcement(
+            response,
+            toLocalFrame(frame()->tree().parent())->document()->url())) {

[Mike West, 2016/10/13 11:01:42]

1. You can't know that the parent is a local frame; it might be remote, at which
point this code would explode.

2. Checking against the URL misses some cases where the URL and the origin don't
match (consider `<iframe sandbox="">` for instance).

I'd suggest just grabbing the parent frame's security context and looking at its
origin for the comparison. Something like:

```
frame()->tree().parent()->securityContext()->getSecurityContext()
```

+      m_contentSecurityPolicy->addPolicyFromHeaderValue(
+          frameLoader()->requiredCSP(), ContentSecurityPolicyHeaderTypeEnforce,
+          ContentSecurityPolicyHeaderSourceHTTP);
+    } else {
+      // TODO(amalika): Under this flag up to this pointS, we only support
+      // Allow-CSP-From header.
+      // Change this after adding Subsumption Algorithm
+      cancelLoadAfterXFrameOptionsOrCSPDenied(response);
+      return;
+    }
+  }
+
   DCHECK(!m_frame->page()->defersLoading());
 
   m_response = response;
 
   if (isArchiveMIMEType(m_response.mimeType()) &&
       m_mainResource->getDataBufferingPolicy() != BufferData)
     m_mainResource->setDataBufferingPolicy(BufferData);
 
   if (!shouldContinueForResponse()) {
     InspectorInstrumentation::continueWithPolicyIgnore(
@@ skipping 300 matching lines @@
                              m_writer ? m_writer->encoding() : emptyAtom, true,
                              ForceSynchronousParsing);
   if (!source.isNull())
     m_writer->appendReplacingData(source);
   endWriting(m_writer.get());
 }
 
 DEFINE_WEAK_IDENTIFIER_MAP(DocumentLoader);
 
 }  // namespace blink