Index: third_party/WebKit/Source/core/loader/DocumentLoader.cpp |
diff --git a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp |
index 7f689758f73ce58cb90169608e096f5f9c89130e..00bb0170eda849ca963a84a6b4b7025a6336e4b8 100644 |
--- a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp |
+++ b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp |
@@ -448,6 +448,24 @@ void DocumentLoader::responseReceived( |
} |
} |
+ if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() && |
+ !frameLoader()->requiredCSP().isEmpty()) { |
+ // Check if the response allows blanket enforcment of policy from request |
+ if (ContentSecurityPolicy::checkAllowBlanketEnforcement( |
+ response, |
+ toLocalFrame(frame()->tree().parent())->document()->url())) { |
Mike West
2016/10/13 11:01:42
1. You can't know that the parent is a local frame
|
+ m_contentSecurityPolicy->addPolicyFromHeaderValue( |
+ frameLoader()->requiredCSP(), ContentSecurityPolicyHeaderTypeEnforce, |
+ ContentSecurityPolicyHeaderSourceHTTP); |
+ } else { |
+ // TODO(amalika): Under this flag up to this pointS, we only support |
+ // Allow-CSP-From header. |
+ // Change this after adding Subsumption Algorithm |
+ cancelLoadAfterXFrameOptionsOrCSPDenied(response); |
+ return; |
+ } |
+ } |
+ |
DCHECK(!m_frame->page()->defersLoading()); |
m_response = response; |