Experimental Feature: Allow-CSP-From header

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
index 20fd403634bfeb45b58118b95618255ee188787f..968d0d9335f9466b7eee44b28c598dfa4ab9aed1 100644
--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
@@ -311,6 +311,30 @@ void ContentSecurityPolicy::didReceiveHeader(
     applyPolicySideEffectsToExecutionContext();
 }
 
+bool ContentSecurityPolicy::shouldEnforceEmbeddersPolicy(
+    const ResourceResponse& response,
+    SecurityOrigin* parentOrigin) {
+  if (response.url().isEmpty() || response.url().protocolIsAbout() ||
+      response.url().protocolIsData() || response.url().protocolIs("blob") ||
+      response.url().protocolIs("filesystem")) {
+    return true;
+  }
+
+  if (parentOrigin->canAccess(SecurityOrigin::create(response.url()).get()))
+    return true;
+
+  String header = response.httpHeaderField(HTTPNames::Allow_CSP_From);
+  header = header.stripWhiteSpace();
+  if (header == "*")
+    return true;
+  if (RefPtr<SecurityOrigin> childOrigin =
+          SecurityOrigin::createFromString(header)) {
+    return parentOrigin->canAccess(childOrigin.get());
+  }
+
+  return false;
+}
+
 void ContentSecurityPolicy::addPolicyFromHeaderValue(
     const String& header,
     ContentSecurityPolicyHeaderType type,