CSP: "local schemes" should inherit policy when window.opened.

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin-window-open.html

Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin-window-open.html
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin-window-open.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin-window-open.html
new file mode 100644
index 0000000000000000000000000000000000000000..d46d826ff22e1431c8708afeccf8d74558d1a5e9
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/cascade/cross-origin-window-open.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/security/contentSecurityPolicy/resources/cascade-helper.js"></script>
+  <meta http-equiv="content-security-policy" content="img-src 'none'">
+</head>
+<body>
+<script>
+  async_test(t => {
+    assert_blocked_image_in_document(t, document, "http://example.test:8000/resources/square.png?img-in-top-level");
+  }, "Image loaded in top-level blocked.");
+
+  async_test(t => {
+    window.addEventListener("message", t.step_func(e => {
+      assert_equals(e.data, "blocked");
+      t.done();
+    }));
+
+    window.open("data:text/html,<script>" + 
+                "  var i = document.createElement('img');" +
+                "  i.onload = _ => opener.postMessage('loaded', '*');" +
+                "  i.onerror = _ => opener.postMessage('blocked', '*');" +
+                "  i.src = 'http://example.test:8000/resources/square.png?data-frame'" +
+                "</scr" + "ipt>");
+  }, "Image loaded via data: window blocked.");
+</script>
+</body>
+</html>