PlzNavigate: Enforce 'frame-src' CSP on the browser.

third_party/WebKit/public/platform/WebContentSecurityPolicyStruct.h

 /*
  * Copyright (C) 2012 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 15 matching lines @@
  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 #ifndef WebContentSecurityPolicyStruct_h
 #define WebContentSecurityPolicyStruct_h
 
 #include "public/platform/WebContentSecurityPolicy.h"
 #include "public/platform/WebString.h"
+#include "public/platform/WebURL.h"
 #include "public/platform/WebVector.h"
 
 namespace blink {
 
 enum WebWildcardDisposition {
   WebWildcardDispositionNoWildcard,
   WebWildcardDispositionHasWildcard
 };
 
 struct WebContentSecurityPolicySourceExpression {
@@ skipping 17 matching lines @@
 };
 
 struct WebContentSecurityPolicyPolicy {
   WebContentSecurityPolicyType disposition;
   WebContentSecurityPolicySource source;
   WebVector<WebContentSecurityPolicyDirective> directives;
   WebVector<WebString> reportEndpoints;
   WebString header;
 };
 
+struct WebContentSecurityPolicyViolation {
+  // The name of the directive that infringe the policy. |directive| might be a

[alexmos, 2017/03/13 17:26:26]

nit: s/infringe/violates/

[arthursonzogni, 2017/03/14 15:38:57]

Done.

+  // directive that serves as a fallback to the |effective_directive|.
+  WebString directive;
+
+  // The name the effective directive that was checked against.
+  WebString effectiveDirective;
+
+  // The console message to be displayed to the user.
+  WebString consoleMessage;
+
+  // The URL that was blocked by the policy.
+  WebURL blockedUrl;
+
+  // The set of URI where a JSON-formatted report of the violation should be
+  // sent.
+  WebVector<WebString> reportEndpoints;

[dcheng, 2017/03/13 19:02:54]

Can we use WebURL if these are URLs?

[arthursonzogni, 2017/03/14 15:38:57]

I don't know. Blink uses a Vector<String> in CPDirectiveList.h
I would have to convert it into an URL and then back to a string when it comes
back to blink.

I am not sure it is 100% related, but I think it is nice to keep it as string
because of the Reporting API that will launch:
https://www.w3.org/TR/2016/NOTE-reporting-1-20160607/

Summary:
```
It allows web developers to associate a set of named reporting endpoints with an
origin. Various platform features (like Content Security Policy, Network Error
Reporting, and others) will use these endpoints to deliver feature-specific
reports in a consistent manner.
```

[dcheng, 2017/03/16 08:34:46]

I talked with mkwst, and he's OK with changing this to use WebURL/KURL/GURL
throughout (since we convert to a KURL eventually anyway). The reporting API
linked there will use a new directive.

As this involves changing other random plumbing that's not necessarily related
to this CL though... would you be OK with addressing this in a followup?

[arthursonzogni, 2017/03/16 15:47:36]

Thank you for clarifying that. I will address it in a followup.

+
+  // The raw content security policy header that was infringed.
+  WebString header;
+
+  // Each policy has an associated disposition, which is either "enforce" or
+  // "report".
+  WebContentSecurityPolicyType disposition;
+
+  // Whether or not the violation happens after a redirect.
+  bool afterRedirect;
+};
+
 }  // namespace blink
 
 #endif