Experimental Feature: Allow-CSP-From header

third_party/WebKit/Source/core/loader/DocumentLoader.cpp

Index: third_party/WebKit/Source/core/loader/DocumentLoader.cpp
diff --git a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
index 7f689758f73ce58cb90169608e096f5f9c89130e..16f53d4f1b63277a543a59d731131666b3cbfe16 100644
--- a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
@@ -448,6 +448,28 @@ void DocumentLoader::responseReceived(
     }
   }
 
+  if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() &&
+      !frameLoader()->requiredCSP().isEmpty()) {
+    SecurityOrigin* parentSecurityOrigin =
+        frame()->tree().parent()->securityContext()->getSecurityOrigin();
+    if (ContentSecurityPolicy::shouldEnforceEmbeddersPolicy(
+            response, parentSecurityOrigin)) {
+      m_contentSecurityPolicy->addPolicyFromHeaderValue(
+          frameLoader()->requiredCSP(), ContentSecurityPolicyHeaderTypeEnforce,
+          ContentSecurityPolicyHeaderSourceHTTP);
+    } else {
+      String message = "Refused to display '" + response.url().elidedString() +
+                       "' because CSP does not satisfy Embedding-CSP: " +

[amalika, 2016/10/17 13:21:53]

Not sure what would be a good message?

[Mike West, 2016/10/17 14:54:28]

Perhaps "' because it has not opted-into the following policy required by its
embedder: '"?

+                       frameLoader()->requiredCSP() + "'.";
+      ConsoleMessage* consoleMessage = ConsoleMessage::createForRequest(
+          SecurityMessageSource, ErrorMessageLevel, message, response.url(),
+          mainResourceIdentifier());
+      frame()->document()->addConsoleMessage(consoleMessage);
+      cancelLoadAfterXFrameOptionsOrCSPDenied(response);
+      return;
+    }
+  }
+
   DCHECK(!m_frame->page()->defersLoading());
 
   m_response = response;