Implement ContentSecurityPolicy on the browser-side.

third_party/WebKit/Source/core/frame/csp/SourceListDirective.h

Index: third_party/WebKit/Source/core/frame/csp/SourceListDirective.h
diff --git a/third_party/WebKit/Source/core/frame/csp/SourceListDirective.h b/third_party/WebKit/Source/core/frame/csp/SourceListDirective.h
index 425680c9acde18c6058bbd4ef227ece2f08a5c86..97d2e698c1c68bbdc536a11ae11a5f44ae4b667a 100644
--- a/third_party/WebKit/Source/core/frame/csp/SourceListDirective.h
+++ b/third_party/WebKit/Source/core/frame/csp/SourceListDirective.h
@@ -11,6 +11,7 @@
 #include "platform/Crypto.h"
 #include "platform/network/ContentSecurityPolicyParsers.h"
 #include "platform/network/ResourceRequest.h"
+#include "public/platform/WebContentSecurityPolicy.h"
 #include "wtf/HashSet.h"
 #include "wtf/text/WTFString.h"
 
@@ -52,6 +53,12 @@ class CORE_EXPORT SourceListDirective final : public CSPDirective {
   // https://w3c.github.io/webappsec-csp/embedded/#subsume-source-list
   bool subsumes(const HeapVector<Member<SourceListDirective>>&) const;
 
+  // Export a subset of the source list that can be checked outside of blink.

[Mike West, 2017/02/15 16:18:18]

Again, I'd suggest making the link to navigational checks clear.

+  // It contains every source-expressions, '*', 'none' and 'self'.
+  // It doesn't contain 'unsafe-inline' or 'unsafe-eval' for instance.
+  WebContentSecurityPolicySourceList expose() const;

[Mike West, 2017/02/15 16:18:18]

Maybe we should rename these to something like `exposeForNavigationalChecks`?

[arthursonzogni, 2017/02/16 13:30:25]

I agree. Done.

+  String directiveName() const { return m_directiveName; }
+
  private:
   FRIEND_TEST_ALL_PREFIXES(SourceListDirectiveTest, GetIntersectCSPSources);
   FRIEND_TEST_ALL_PREFIXES(SourceListDirectiveTest,