PlzNavigate: Enforce 'frame-src' CSP on the browser.

third_party/WebKit/Source/web/WebLocalFrameImpl.cpp

 /*
  * Copyright (C) 2009 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 2036 matching lines @@
 
   if (!frame()->owner() || !frame()->owner()->canRenderFallbackContent())
     return false;
 
   FrameLoader& frameloader = frame()->loader();
   frameloader.clearNavigationHandledByClient();
   frameloader.loadFailed(frameloader.documentLoader(), error);
   return true;
 }
 
+// Called when a navigation is blocked because a Content Security Policy (CSP)
+// is infringed.
+void WebLocalFrameImpl::reportContentSecurityPolicyViolation(
+    const blink::WebContentSecurityPolicyViolation& violation) {
+  DCHECK(frame() && frame()->document());
+  Document* document = frame()->document();
+  Vector<String> reportEndpoints;
+  for (const WebString& endPoint : violation.reportEndpoints)
+    reportEndpoints.push_back(endPoint);
+  document->contentSecurityPolicy()->reportViolation(
+      violation.directive, /* directiveText */
+      ContentSecurityPolicy::getDirectiveType(
+          violation.effectiveDirective), /* effectiveType */
+      violation.consoleMessage,          /* consoleMessage */
+      violation.blockedUrl,              /* blockedUrl */
+      reportEndpoints,                   /* reportEndpoints */
+      violation.header,                  /* header */
+      static_cast<ContentSecurityPolicyHeaderType>(violation.disposition),
+      ContentSecurityPolicy::ViolationType::URLViolation); /* ViolationType */

[alexmos, 2017/02/24 06:40:28]

Does this still need to extract out and explicitly pass in the redirect info
from the WebContentSecurityPolicyViolation?

[arthursonzogni, 2017/02/24 16:13:30]

I am not sure to understand, but if you mean that I forgot to pass
violation.after_redirect, yes this is really important.

[alexmos, 2017/03/01 02:22:28]

Yes, this is what I meant.  Thanks for fixing it!

+}
+
 bool WebLocalFrameImpl::isLoading() const {
   if (!frame() || !frame()->document())
     return false;
   return frame()->loader().stateMachine()->isDisplayingInitialEmptyDocument() ||
          frame()->loader().hasProvisionalNavigation() ||
          !frame()->document()->loadEventFinished();
 }
 
 bool WebLocalFrameImpl::isNavigationScheduledWithin(
     double intervalInSeconds) const {
@@ skipping 373 matching lines @@
         createMarkup(startPosition, endPosition, AnnotateForInterchange,
                      ConvertBlocksToInlines::NotConvert, ResolveNonLocalURLs);
   } else {
     clipHtml =
         createMarkup(endPosition, startPosition, AnnotateForInterchange,
                      ConvertBlocksToInlines::NotConvert, ResolveNonLocalURLs);
   }
 }
 
 }  // namespace blink