Implement ContentSecurityPolicy on the browser-side.

content/renderer/render_frame_impl.cc

Index: content/renderer/render_frame_impl.cc
diff --git a/content/renderer/render_frame_impl.cc b/content/renderer/render_frame_impl.cc
index 5ada65582183241bfa31bb1ed591dbc4bbbf0806..484c121cc1a39f246ff70bedbc639b2d98c5837a 100644
--- a/content/renderer/render_frame_impl.cc
+++ b/content/renderer/render_frame_impl.cc
@@ -53,6 +53,7 @@
 #include "content/common/associated_interfaces.mojom.h"
 #include "content/common/clipboard_messages.h"
 #include "content/common/content_constants_internal.h"
+#include "content/common/content_security_policy/csp_context.h"
 #include "content/common/content_security_policy_header.h"
 #include "content/common/download/mhtml_save_status.h"
 #include "content/common/edit_command.h"
@@ -95,6 +96,7 @@
 #include "content/renderer/browser_plugin/browser_plugin.h"
 #include "content/renderer/browser_plugin/browser_plugin_manager.h"
 #include "content/renderer/child_frame_compositing_helper.h"
+#include "content/renderer/content_security_policy_util.h"
 #include "content/renderer/context_menu_params_builder.h"
 #include "content/renderer/devtools/devtools_agent.h"
 #include "content/renderer/dom_automation_controller.h"
@@ -3202,15 +3204,19 @@ void RenderFrameImpl::didSetFeaturePolicyHeader(
 void RenderFrameImpl::didAddContentSecurityPolicy(
     const blink::WebString& header_value,
     blink::WebContentSecurityPolicyType type,
-    blink::WebContentSecurityPolicySource source) {
-  if (!SiteIsolationPolicy::AreCrossProcessFramesPossible())
-    return;
-
+    blink::WebContentSecurityPolicySource source,
+    const std::vector<blink::WebContentSecurityPolicyPolicy>& policies) {
   ContentSecurityPolicyHeader header;
   header.header_value = header_value.utf8();
   header.type = type;
   header.source = source;
-  Send(new FrameHostMsg_DidAddContentSecurityPolicy(routing_id_, header));
+
+  std::vector<CSPPolicy> content_policies;

[Mike West, 2017/02/13 14:10:51]

CSPPolicy => "Content Security Policy Policy". :(

[arthursonzogni, 2017/02/14 17:07:03]

I like thinking that Content-Security-Policy is {the concept, the feature} and a
Policy is the object.
A policy is a the set of directive, which are a set of source.

Do you really want me to rename this? CSPPolicy => CSP. I still prefer
CSPPolicy.

I saw that it was difficult in blink to name the classes.
Here is roughly what are the corresponding classes between blink and content.
ContentSecurityPolicy <=> a set of CSPPolicy ( + a CSPContext + misc )
CSPDirectiveList <=> CSPPolicy
SourceListDirective <=> CSPDirective + CSPSourceList
CSPSource <=> CSPSource.

+  for (const auto& policy : policies)
+    content_policies.push_back(BuildCSPPolicy(policy));
+
+  Send(new FrameHostMsg_DidAddContentSecurityPolicy(routing_id_, header,
+                                                    content_policies));
 }
 
 void RenderFrameImpl::didChangeFrameOwnerProperties(