Index: third_party/WebKit/Source/core/loader/DocumentLoader.cpp |
diff --git a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp |
index 7f689758f73ce58cb90169608e096f5f9c89130e..16f53d4f1b63277a543a59d731131666b3cbfe16 100644 |
--- a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp |
+++ b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp |
@@ -448,6 +448,28 @@ void DocumentLoader::responseReceived( |
} |
} |
+ if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() && |
+ !frameLoader()->requiredCSP().isEmpty()) { |
+ SecurityOrigin* parentSecurityOrigin = |
+ frame()->tree().parent()->securityContext()->getSecurityOrigin(); |
+ if (ContentSecurityPolicy::shouldEnforceEmbeddersPolicy( |
+ response, parentSecurityOrigin)) { |
+ m_contentSecurityPolicy->addPolicyFromHeaderValue( |
+ frameLoader()->requiredCSP(), ContentSecurityPolicyHeaderTypeEnforce, |
+ ContentSecurityPolicyHeaderSourceHTTP); |
+ } else { |
+ String message = "Refused to display '" + response.url().elidedString() + |
+ "' because CSP does not satisfy Embedding-CSP: " + |
amalika
2016/10/17 13:21:53
Not sure what would be a good message?
Mike West
2016/10/17 14:54:28
Perhaps "' because it has not opted-into the follo
|
+ frameLoader()->requiredCSP() + "'."; |
+ ConsoleMessage* consoleMessage = ConsoleMessage::createForRequest( |
+ SecurityMessageSource, ErrorMessageLevel, message, response.url(), |
+ mainResourceIdentifier()); |
+ frame()->document()->addConsoleMessage(consoleMessage); |
+ cancelLoadAfterXFrameOptionsOrCSPDenied(response); |
+ return; |
+ } |
+ } |
+ |
DCHECK(!m_frame->page()->defersLoading()); |
m_response = response; |