Index: third_party/WebKit/Source/core/loader/DocumentLoader.cpp |
diff --git a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp |
index 7f689758f73ce58cb90169608e096f5f9c89130e..00bb0170eda849ca963a84a6b4b7025a6336e4b8 100644 |
--- a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp |
+++ b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp |
@@ -448,6 +448,24 @@ void DocumentLoader::responseReceived( |
} |
} |
+ if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() && |
+ !frameLoader()->requiredCSP().isEmpty()) { |
+ // Check if the response allows blanket enforcment of policy from request |
+ if (ContentSecurityPolicy::checkAllowBlanketEnforcement( |
+ response, |
+ toLocalFrame(frame()->tree().parent())->document()->url())) { |
amalika
2016/10/11 19:06:46
This function is after x-frames checks where it se
|
+ m_contentSecurityPolicy->addPolicyFromHeaderValue( |
+ frameLoader()->requiredCSP(), ContentSecurityPolicyHeaderTypeEnforce, |
+ ContentSecurityPolicyHeaderSourceHTTP); |
+ } else { |
+ // TODO(amalika): Under this flag up to this pointS, we only support |
amalika
2016/10/11 19:06:46
nit: will fix the wording
|
+ // Allow-CSP-From header. |
+ // Change this after adding Subsumption Algorithm |
+ cancelLoadAfterXFrameOptionsOrCSPDenied(response); |
+ return; |
+ } |
+ } |
+ |
DCHECK(!m_frame->page()->defersLoading()); |
m_response = response; |