PlzNavigate: Enforce 'frame-src' CSP on the browser.

content/browser/frame_host/navigator_impl.cc

Index: content/browser/frame_host/navigator_impl.cc
diff --git a/content/browser/frame_host/navigator_impl.cc b/content/browser/frame_host/navigator_impl.cc
index 07f3cc9d1eb6137155132c4f146032ea6b1efe7d..f8a810296452dece15a380cb48faea1efc7e48fe 100644
--- a/content/browser/frame_host/navigator_impl.cc
+++ b/content/browser/frame_host/navigator_impl.cc
@@ -231,7 +231,8 @@ void NavigatorImpl::DidStartProvisionalLoad(
       validated_url, validated_redirect_chain,
       render_frame_host->frame_tree_node(), is_renderer_initiated,
       false,  // is_same_page
-      navigation_start, pending_nav_entry_id, started_from_context_menu));
+      navigation_start, pending_nav_entry_id, started_from_context_menu,
+      false));  // should_bypass_main_world_csp
 }
 
 void NavigatorImpl::DidFailProvisionalLoadWithError(
@@ -612,6 +613,7 @@ void NavigatorImpl::DidNavigate(
   // Navigating to a new location means a new, fresh set of http headers and/or
   // <meta> elements - we need to reset CSP and Feature Policy.
   if (!is_navigation_within_page) {
+    render_frame_host->ResetContentSecurityPolicies();
     render_frame_host->frame_tree_node()->ResetContentSecurityPolicy();

[alexmos, 2017/03/01 02:22:28]

It looks a bit weird to call something to reset CSP twice on both RFH and FTN. 
Perhaps we could combine them somehow and call one from the other, or rename the
FTN ResetContentSecurityPolicy into something like ResetCSPHeaders, since it's
really about resetting replicated CSP headers.  Not that big of a deal.

[arthursonzogni, 2017/03/06 15:09:02]

Done.

     render_frame_host->frame_tree_node()->ResetFeaturePolicyHeader();
   }