Experimental Feature: Allow-CSP-From header

third_party/WebKit/Source/core/loader/DocumentLoader.cpp

Index: third_party/WebKit/Source/core/loader/DocumentLoader.cpp
diff --git a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
index 7f689758f73ce58cb90169608e096f5f9c89130e..f2f9b3fea73a415e44e8d23727a046901b35eb61 100644
--- a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
@@ -448,6 +448,29 @@ void DocumentLoader::responseReceived(
     }
   }
 
+  if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() &&
+      !frameLoader()->requiredCSP().isEmpty()) {
+    SecurityOrigin* parentSecurityOrigin =
+        frame()->tree().parent()->securityContext()->getSecurityOrigin();
+    if (ContentSecurityPolicy::shouldEnforceEmbeddersPolicy(
+            response, parentSecurityOrigin)) {
+      m_contentSecurityPolicy->addPolicyFromHeaderValue(
+          frameLoader()->requiredCSP(), ContentSecurityPolicyHeaderTypeEnforce,
+          ContentSecurityPolicyHeaderSourceHTTP);
+    } else {
+      String message = "Refused to display '" + response.url().elidedString() +
+                       "' because it has not opted-into the following policy "
+                       "required by its embedder: '" +
+                       frameLoader()->requiredCSP() + "'.";
+      ConsoleMessage* consoleMessage = ConsoleMessage::createForRequest(
+          SecurityMessageSource, ErrorMessageLevel, message, response.url(),
+          mainResourceIdentifier());
+      frame()->document()->addConsoleMessage(consoleMessage);
+      cancelLoadAfterXFrameOptionsOrCSPDenied(response);
+      return;
+    }
+  }
+
   DCHECK(!m_frame->page()->defersLoading());
 
   m_response = response;