Implement ContentSecurityPolicy on the browser-side.

third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h

Index: third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
diff --git a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
index 7dba69f3398462354117a0d391c704f04d508ad2..f210e9d0a7171bb0be1f6898abf8e239f10410c5 100644
--- a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
+++ b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
@@ -14,6 +14,7 @@
 #include "platform/network/HTTPParsers.h"
 #include "platform/network/ResourceRequest.h"
 #include "platform/weborigin/KURL.h"
+#include "public/platform/WebContentSecurityPolicy.h"
 #include "wtf/Vector.h"
 #include "wtf/text/AtomicString.h"
 #include "wtf/text/WTFString.h"
@@ -162,6 +163,18 @@ class CORE_EXPORT CSPDirectiveList
   // https://w3c.github.io/webappsec-csp/embedded/#subsume-policy
   bool subsumes(const CSPDirectiveListVector&);
 
+  // Export a subset of the Policy. The primary goal of this method if to make

[Mike West, 2017/02/15 16:18:18]

Nit: s/if/is/

[arthursonzogni, 2017/02/16 13:30:25]

Done.

+  // the embedders able to enforce the directives that are not stricly internal

[Mike West, 2017/02/15 16:18:18]

How about "the embedder aware of the directives that affect navigation, as the
embedder is responsible for navigational enforcement."?

[arthursonzogni, 2017/02/16 13:30:25]

Done.

+  // to blink.
+  // It currently contains the following ones:
+  // * default-src
+  // * child-src
+  // * frame-src
+  // * form-action
+  // The exported directives only contains sources that can be checked outside
+  // of blink. For instance it doesn't contains 'unsafe-inline' or 'unsafe-eval'

[Mike West, 2017/02/15 16:18:18]

Nit: s/that can be checked outside of blink/that affect navigation./

[arthursonzogni, 2017/02/16 13:30:25]

Done.

+  WebContentSecurityPolicyPolicy expose() const;
+
   DECLARE_TRACE();
 
  private: