PlzNavigate: Enforce 'frame-src' CSP on the browser.

third_party/WebKit/public/platform/WebContentSecurityPolicyStruct.h

Index: third_party/WebKit/public/platform/WebContentSecurityPolicyStruct.h
diff --git a/third_party/WebKit/public/platform/WebContentSecurityPolicyStruct.h b/third_party/WebKit/public/platform/WebContentSecurityPolicyStruct.h
index 2e1d0bd5caa30547f65f69e5a1f03b2cf27ddddc..ccd838fd92ba9e82513cf6df39ecac0b4828cdae 100644
--- a/third_party/WebKit/public/platform/WebContentSecurityPolicyStruct.h
+++ b/third_party/WebKit/public/platform/WebContentSecurityPolicyStruct.h
@@ -33,6 +33,7 @@
 
 #include "public/platform/WebContentSecurityPolicy.h"
 #include "public/platform/WebString.h"
+#include "public/platform/WebURL.h"
 #include "public/platform/WebVector.h"
 
 namespace blink {
@@ -70,6 +71,35 @@ struct WebContentSecurityPolicyPolicy {
   WebString header;
 };
 
+struct WebContentSecurityPolicyViolation {
+  // The name of the directive that infringe the policy. |directive| might be a

[alexmos, 2017/03/13 17:26:26]

nit: s/infringe/violates/

[arthursonzogni, 2017/03/14 15:38:57]

Done.

+  // directive that serves as a fallback to the |effective_directive|.
+  WebString directive;
+
+  // The name the effective directive that was checked against.
+  WebString effectiveDirective;
+
+  // The console message to be displayed to the user.
+  WebString consoleMessage;
+
+  // The URL that was blocked by the policy.
+  WebURL blockedUrl;
+
+  // The set of URI where a JSON-formatted report of the violation should be
+  // sent.
+  WebVector<WebString> reportEndpoints;

[dcheng, 2017/03/13 19:02:54]

Can we use WebURL if these are URLs?

[arthursonzogni, 2017/03/14 15:38:57]

I don't know. Blink uses a Vector<String> in CPDirectiveList.h
I would have to convert it into an URL and then back to a string when it comes
back to blink.

I am not sure it is 100% related, but I think it is nice to keep it as string
because of the Reporting API that will launch:
https://www.w3.org/TR/2016/NOTE-reporting-1-20160607/

Summary:
```
It allows web developers to associate a set of named reporting endpoints with an
origin. Various platform features (like Content Security Policy, Network Error
Reporting, and others) will use these endpoints to deliver feature-specific
reports in a consistent manner.
```

[dcheng, 2017/03/16 08:34:46]

I talked with mkwst, and he's OK with changing this to use WebURL/KURL/GURL
throughout (since we convert to a KURL eventually anyway). The reporting API
linked there will use a new directive.

As this involves changing other random plumbing that's not necessarily related
to this CL though... would you be OK with addressing this in a followup?

[arthursonzogni, 2017/03/16 15:47:36]

Thank you for clarifying that. I will address it in a followup.

+
+  // The raw content security policy header that was infringed.
+  WebString header;
+
+  // Each policy has an associated disposition, which is either "enforce" or
+  // "report".
+  WebContentSecurityPolicyType disposition;
+
+  // Whether or not the violation happens after a redirect.
+  bool afterRedirect;
+};
+
 }  // namespace blink
 
 #endif