Implement ContentSecurityPolicy on the browser-side.

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

 /*
  * Copyright (C) 2011 Google, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 314 matching lines @@
   }
 }
 
 void ContentSecurityPolicy::reportAccumulatedHeaders(
     FrameLoaderClient* client) const {
   // Notify the embedder about headers that have accumulated before the
   // navigation got committed.  See comments in
   // addAndReportPolicyFromHeaderValue for more details and context.
   DCHECK(client);
   for (const auto& policy : m_policies) {
-    client->didAddContentSecurityPolicy(policy->header(), policy->headerType(),
-                                        policy->headerSource());
+    client->didAddContentSecurityPolicy(
+        policy->header(), policy->headerType(), policy->headerSource(),
+        {policy->exposeForNavigationalChecks()});
   }
 }
 
 void ContentSecurityPolicy::addAndReportPolicyFromHeaderValue(
     const String& header,
     ContentSecurityPolicyHeaderType type,
     ContentSecurityPolicyHeaderSource source) {
-  // Notify about the new header, so that it can be reported back to the
-  // browser process.  This is needed in order to:
-  // 1) replicate CSP directives (i.e. frame-src) to OOPIFs (only for now /
-  // short-term).
-  // 2) enforce CSP in the browser process (not yet / long-term - see
-  // https://crbug.com/376522).
-  if (document() && document()->frame())
-    document()->frame()->client()->didAddContentSecurityPolicy(header, type,
-                                                               source);
+  size_t previousPolicyCount = m_policies.size();
+  addPolicyFromHeaderValue(header, type, source);
+  if (document() && document()->frame()) {
+    // Notify about the new header, so that it can be reported back to the
+    // browser process.  This is needed in order to:
+    // 1) replicate CSP directives (i.e. frame-src) to OOPIFs (only for now /
+    // short-term).
+    // 2) enforce CSP in the browser process (long-term - see
+    // https://crbug.com/376522).
+    // TODO(arthursonzogni): policies are actually replicated (1) and some of
+    // them are (or will) be enforced on the browser process (2). Stop doing (1)
+    // when (2) is finished.
 
-  addPolicyFromHeaderValue(header, type, source);
+    // Zero, one or several policies could be produced by only one header.
+    std::vector<blink::WebContentSecurityPolicyPolicy> policies;
+    for (size_t i = previousPolicyCount; i < m_policies.size(); ++i)
+      policies.push_back(m_policies[i]->exposeForNavigationalChecks());
+    document()->frame()->client()->didAddContentSecurityPolicy(
+        header, type, source, policies);
+  }
 }
 
 void ContentSecurityPolicy::setOverrideAllowInlineStyle(bool value) {
   m_overrideInlineStyleAllowed = value;
 }
 
 void ContentSecurityPolicy::setOverrideURLForSelf(const KURL& url) {
   // Create a temporary CSPSource so that 'self' expressions can be resolved
   // before we bind to an execution context (for 'frame-ancestor' resolution,
   // for example). This CSPSource will be overwritten when we bind this object
@@ skipping 1253 matching lines @@
   CSPDirectiveListVector otherVector;
   for (const auto& policy : other.m_policies) {
     if (!policy->isReportOnly())
       otherVector.push_back(policy);
   }
 
   return m_policies[0]->subsumes(otherVector);
 }
 
 }  // namespace blink