Experimental Feature: Allow-CSP-From header

third_party/WebKit/Source/core/loader/DocumentLoader.cpp

Index: third_party/WebKit/Source/core/loader/DocumentLoader.cpp
diff --git a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
index 7f689758f73ce58cb90169608e096f5f9c89130e..00bb0170eda849ca963a84a6b4b7025a6336e4b8 100644
--- a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
@@ -448,6 +448,24 @@ void DocumentLoader::responseReceived(
     }
   }
 
+  if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() &&
+      !frameLoader()->requiredCSP().isEmpty()) {
+    // Check if the response allows blanket enforcment of policy from request
+    if (ContentSecurityPolicy::checkAllowBlanketEnforcement(
+            response,
+            toLocalFrame(frame()->tree().parent())->document()->url())) {

[amalika, 2016/10/11 19:06:46]

This function is after x-frames checks where it seems like non local frames are
blocked? 
The tests are passing for cross origin iframes, but not totally sure about
remote frames and what's the correct way to get url() of the parent.

+      m_contentSecurityPolicy->addPolicyFromHeaderValue(
+          frameLoader()->requiredCSP(), ContentSecurityPolicyHeaderTypeEnforce,
+          ContentSecurityPolicyHeaderSourceHTTP);
+    } else {
+      // TODO(amalika): Under this flag up to this pointS, we only support

[amalika, 2016/10/11 19:06:46]

nit: will fix the wording

+      // Allow-CSP-From header.
+      // Change this after adding Subsumption Algorithm
+      cancelLoadAfterXFrameOptionsOrCSPDenied(response);
+      return;
+    }
+  }
+
   DCHECK(!m_frame->page()->defersLoading());
 
   m_response = response;