PlzNavigate: Enforce 'frame-src' CSP on the browser.

content/browser/frame_host/frame_tree_node.h

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CONTENT_BROWSER_FRAME_HOST_FRAME_TREE_NODE_H_
 #define CONTENT_BROWSER_FRAME_HOST_FRAME_TREE_NODE_H_
 
 #include <stddef.h>
 
 #include <memory>
 #include <string>
 #include <vector>
 
 #include "base/macros.h"
 #include "base/memory/ref_counted.h"
 #include "content/browser/frame_host/frame_tree_node_blame_context.h"
 #include "content/browser/frame_host/render_frame_host_impl.h"
 #include "content/browser/frame_host/render_frame_host_manager.h"
 #include "content/common/content_export.h"
-#include "content/common/content_security_policy/csp_policy.h"
+#include "content/common/content_security_policy/csp_context.h"
 #include "content/common/frame_owner_properties.h"
 #include "content/common/frame_replication_state.h"
 #include "third_party/WebKit/public/platform/WebInsecureRequestPolicy.h"
 #include "url/gurl.h"
 #include "url/origin.h"
 
 namespace content {
 
 class FrameTree;
 class NavigationRequest;
@@ skipping 140 matching lines @@
   // Add CSP header to replication state, notify proxies about the update and
   // enforce it on the browser.
   void AddContentSecurityPolicy(const ContentSecurityPolicyHeader& header,
                                 const std::vector<CSPPolicy>& policies);
 
   // Discards previous CSP headers and notifies proxies about the update.
   // Typically invoked after committing navigation to a new document (since the
   // new document comes with a fresh set of CSP http headers).
   void ResetContentSecurityPolicy();
 
+  const std::vector<CSPPolicy>& csp_policies() const { return csp_policies_; }

[nasko, 2017/02/15 21:28:44]

nit: I would move this higher in the file with all the other simple accessors.

[arthursonzogni, 2017/02/16 17:32:41]

Done.

+
+  // Return the Content-Security-Policy context associated to this frame.

[nasko, 2017/02/15 21:28:44]

nit: "associated with"

+  // Never null.
+  CSPContext* csp_context() { return csp_context_.get(); }
+
   // Sets the current insecure request policy, and notifies proxies about the
   // update.
   void SetInsecureRequestPolicy(blink::WebInsecureRequestPolicy policy);
 
   // Returns the currently active sandbox flags for this frame.  This includes
   // flags inherited from parent frames and the currently active flags from the
   // <iframe> element hosting this frame.  This does not include flags that
   // have been updated in an <iframe> element but have not taken effect yet;
   // use pending_sandbox_flags() for those.
   blink::WebSandboxFlags effective_sandbox_flags() const {
@@ skipping 205 matching lines @@
   // List of objects observing this FrameTreeNode.
   base::ObserverList<Observer> observers_;
 
   base::TimeTicks last_focus_time_;
 
   // A helper for tracing the snapshots of this FrameTreeNode and attributing
   // browser process activities to this node (when possible).  It is unrelated
   // to the core logic of FrameTreeNode.
   FrameTreeNodeBlameContext blame_context_;
 
-  // A set of Content-Security-Policies to enforce on the browser-side.
+  // A set of Content-Security-Policy policies to enforce on the browser-side.
   std::vector<CSPPolicy> csp_policies_;
 
+  // Used to check if a frame is allowed to navigate to an URL according to a
+  // set of content-security-policy policies.
+  std::unique_ptr<CSPContext> csp_context_;

[nasko, 2017/02/15 21:28:44]

What is the difference between a context and a policy?

[arthursonzogni, 2017/02/16 17:32:41]

Please see my response above.

+
   DISALLOW_COPY_AND_ASSIGN(FrameTreeNode);
 };
 
 }  // namespace content
 
 #endif  // CONTENT_BROWSER_FRAME_HOST_FRAME_TREE_NODE_H_