PlzNavigate: Enforce 'frame-src' CSP on the browser.

content/common/content_security_policy/csp_policy.cc

 // Copyright 2017 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <sstream>
 #include "base/strings/string_split.h"
 #include "base/strings/string_util.h"
 #include "content/common/content_security_policy/csp_context.h"
 
 namespace content {
@@ skipping 86 matching lines @@
 }
 
 bool CSPPolicy::AllowDirective(CSPContext* context,
                                CSPDirective::Name directive_name,
                                const CSPDirective& directive,
                                const GURL& url,
                                bool is_redirect) const {
   if (directive.source_list.Allow(context, url, is_redirect))
     return true;
 
-  ReportViolation(context, directive_name, directive, url);
+  ReportViolation(context, directive_name, directive, url, is_redirect);
 
   return disposition == blink::WebContentSecurityPolicyTypeReport;
 }
 
 void CSPPolicy::ReportViolation(CSPContext* context,
                                 const CSPDirective::Name directive_name,
                                 const CSPDirective& directive,
-                                const GURL& url) const {
+                                const GURL& url,
+                                bool is_redirect) const {
   // We should never have a violation against `child-src` or `default-src`
   // directly; the effective directive should always be one of the explicit
   // fetch directives.
   DCHECK_NE(directive_name, CSPDirective::DefaultSrc);
   DCHECK_NE(directive_name, CSPDirective::ChildSrc);
 
   std::stringstream message;
 
   if (disposition == blink::WebContentSecurityPolicyTypeReport)
     message << "[Report Only] ";
@@ skipping 10 matching lines @@
 
   if (directive.name != directive_name)
     message << " Note that '" << CSPDirective::NameToString(directive_name)
             << "' was not explicitly set, so '"
             << CSPDirective::NameToString(directive.name)
             << "' is used as a fallback.";
 
   message << "\n";
 
   context->LogToConsole(message.str());
-  context->ReportViolation(CSPDirective::NameToString(directive.name),
-                           CSPDirective::NameToString(directive_name),
-                           message.str(), url, report_endpoints,
-                           // TODO(arthursonzogni): consider passing the
-                           // original header
-                           "", disposition);
+  context->ReportViolation(
+      CSPViolationParams(CSPDirective::NameToString(directive.name),
+                         CSPDirective::NameToString(directive_name),
+                         message.str(), url, report_endpoints,
+                         // TODO(arthursonzogni): consider passing the
+                         // original header

[nasko, 2017/02/15 21:28:44]

This struct now defines a member for the original header. Is this intentionally
still left blank?

[arthursonzogni, 2017/02/16 17:32:41]

I don't understand your question.

Maybe I will have to store the raw policy header inside the
CSPPolicy/ContentSecurityPolicy object. I will work on it.

+                         "", disposition, is_redirect));
 }
 
 }  // namespace content