Implement ContentSecurityPolicy on the browser-side.

content/common/content_security_policy/csp_policy.h

Index: content/common/content_security_policy/csp_policy.h
diff --git a/content/common/content_security_policy/csp_policy.h b/content/common/content_security_policy/csp_policy.h
new file mode 100644
index 0000000000000000000000000000000000000000..b512dad3581b81a1ece23d67a8177c62545e0e6f
--- /dev/null
+++ b/content/common/content_security_policy/csp_policy.h
@@ -0,0 +1,62 @@
+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_POLICY_H_
+#define CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_POLICY_H_
+
+#include <memory>
+#include <vector>
+
+#include "content/common/content_export.h"
+#include "content/common/content_security_policy/csp_directive.h"
+#include "content/common/content_security_policy_header.h"
+#include "url/gurl.h"
+
+namespace content {
+
+class CSPContext;
+
+// https://www.w3.org/TR/CSP3/#framework-policy
+//
+// A CSPPolicy is a set of |directives| that needs to be enforced.

[Mike West, 2017/02/15 16:18:18]

1. "CSPPolicy". :(

2. Perhaps "... is a collection of CSPDirectives which will be enforced upon
requests."?

[arthursonzogni, 2017/02/16 13:30:25]

Okay, it breaks my heart, but I think I will replace all CSPPolicy with CSP, or
maybe ContentSecurityPolicy.
I applied you suggestion.

+// Example of CSPPolicy:
+// "Content-Security-Policy: default-src example.com img.cdn.com ;
+//                           form-action 'self';
+//                           frame-src 'self';"

[Mike West, 2017/02/15 16:18:18]

I'm not sure this helps much unless you explain how this turns into an object
with three CSPDirective objects in 'directives'.

[arthursonzogni, 2017/02/16 13:30:25]

Okay, I removed it.

+struct CONTENT_EXPORT CSPPolicy {
+  CSPPolicy();
+  CSPPolicy(blink::WebContentSecurityPolicyType disposition,
+            blink::WebContentSecurityPolicySource source,
+            const std::vector<CSPDirective>& directives,
+            const std::vector<std::string>& report_endpoints);
+  CSPPolicy(const CSPPolicy&);
+  ~CSPPolicy();
+
+  blink::WebContentSecurityPolicyType disposition;
+  blink::WebContentSecurityPolicySource source;
+  std::vector<CSPDirective> directives;
+  std::vector<std::string> report_endpoints;
+
+  bool Allow(CSPContext* context,
+             CSPDirective::Name directive,
+             const GURL& url,
+             bool is_redirect = false) const;
+
+  std::string ToString() const;
+
+ private:
+  bool AllowDirective(CSPContext* context,
+                      CSPDirective::Name directive_name,
+                      const CSPDirective& directive,
+                      const GURL& url,
+                      bool is_redirect) const;
+
+  void ReportViolation(CSPContext* context,
+                       const CSPDirective::Name effective_directive,
+                       const CSPDirective& directive,
+                       const GURL& url) const;
+};
+
+}  // namespace content
+#endif  // CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_POLICY_H_