PlzNavigate: Enforce 'frame-src' CSP on the browser.

content/browser/frame_host/navigator_impl.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/frame_host/navigator_impl.h"
 
 #include <utility>
 
 #include "base/logging.h"
 #include "base/metrics/histogram_macros.h"
@@ skipping 213 matching lines @@
     started_from_context_menu = pending_entry->has_started_from_context_menu();
   }
 
   std::vector<GURL> validated_redirect_chain = redirect_chain;
   for (size_t i = 0; i < validated_redirect_chain.size(); ++i)
     render_process_host->FilterURL(false, &validated_redirect_chain[i]);
   render_frame_host->SetNavigationHandle(NavigationHandleImpl::Create(
       validated_url, validated_redirect_chain,
       render_frame_host->frame_tree_node(), is_renderer_initiated,
       false,  // is_same_page
-      navigation_start, pending_nav_entry_id, started_from_context_menu));
+      navigation_start, pending_nav_entry_id, started_from_context_menu,
+      false));  // should_bypass_main_world_csp
 }
 
 void NavigatorImpl::DidFailProvisionalLoadWithError(
     RenderFrameHostImpl* render_frame_host,
     const FrameHostMsg_DidFailProvisionalLoadWithError_Params& params) {
   VLOG(1) << "Failed Provisional Load: " << params.url.possibly_invalid_spec()
           << ", error_code: " << params.error_code
           << ", error_description: " << params.error_description
           << ", showing_repost_interstitial: " <<
             params.showing_repost_interstitial
@@ skipping 360 matching lines @@
   // mojom::Renderer::CreateFrameProxy.
   render_frame_host->frame_tree_node()->SetCurrentOrigin(
       params.origin, params.has_potentially_trustworthy_unique_origin);
 
   render_frame_host->frame_tree_node()->SetInsecureRequestPolicy(
       params.insecure_request_policy);
 
   // Navigating to a new location means a new, fresh set of http headers and/or
   // <meta> elements - we need to reset CSP and Feature Policy.
   if (!is_navigation_within_page) {
+    render_frame_host->ResetContentSecurityPolicies();
     render_frame_host->frame_tree_node()->ResetContentSecurityPolicy();

[alexmos, 2017/03/01 02:22:28]

It looks a bit weird to call something to reset CSP twice on both RFH and FTN. 
Perhaps we could combine them somehow and call one from the other, or rename the
FTN ResetContentSecurityPolicy into something like ResetCSPHeaders, since it's
really about resetting replicated CSP headers.  Not that big of a deal.

[arthursonzogni, 2017/03/06 15:09:02]

Done.

     render_frame_host->frame_tree_node()->ResetFeaturePolicyHeader();
   }
 
   // When using --site-per-process, we notify the RFHM for all navigations,
   // not just main frame navigations.
   if (oopifs_possible) {
     FrameTreeNode* frame = render_frame_host->frame_tree_node();
     frame->render_manager()->DidNavigateFrame(
         render_frame_host, params.gesture == NavigationGestureUser);
   }
@@ skipping 661 matching lines @@
     if (navigation_handle)
       navigation_handle->update_entry_id_for_transfer(entry->GetUniqueID());
 
     controller_->SetPendingEntry(std::move(entry));
     if (delegate_)
       delegate_->NotifyChangedNavigationState(content::INVALIDATE_TYPE_URL);
   }
 }
 
 }  // namespace content