Experimental Feature: Allow-CSP-From header

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
index 3ff396642f61a6722b5b1cf7f35136afc2fc77c1..c82f49fb495336968e1beb3725d94e1b325f8360 100644
--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
@@ -311,6 +311,30 @@ void ContentSecurityPolicy::didReceiveHeader(
     applyPolicySideEffectsToExecutionContext();
 }
 
+bool ContentSecurityPolicy::shouldEnforceEmbeddersPolicy(
+    const ResourceResponse& response,
+    SecurityOrigin* parentOrigin) {
+  if (response.url().isEmpty() || response.url().protocolIsAbout() ||
+      response.url().protocolIsData() || response.url().protocolIs("blob") ||
+      response.url().protocolIs("filesystem")) {
+    return true;
+  }
+
+  if (parentOrigin->canAccess(SecurityOrigin::create(response.url()).get()))
+    return true;
+
+  String header = response.httpHeaderField(HTTPNames::Allow_CSP_From);
+  header = header.stripWhiteSpace();
+  if (header == "*")
+    return true;
+  if (RefPtr<SecurityOrigin> childOrigin =
+          SecurityOrigin::createFromString(header)) {
+    return parentOrigin->canAccess(childOrigin.get());
+  }
+
+  return false;
+}
+
 void ContentSecurityPolicy::addPolicyFromHeaderValue(
     const String& header,
     ContentSecurityPolicyHeaderType type,