CSP Suborigins

LayoutTests/http/tests/security/contentSecurityPolicy/suborigin-allow.html

+<meta http-equiv="Content-Security-Policy" content="suborigin foobar">

[abarth-chromium, 2014/07/31 05:02:05]

I don't understand how this works.  Does this mean a document can change
suborigins in the middle of execution?  For example, if we put a <script> block
above the meta tag, would that script execute outside the suborigin?

If we permit that, we'll be getting into a bunch of the insanity of
document.domain where you can have a JavaScript reference to an object that you
can no longer access.

I thought for |sandbox| we prevented it from being engaged via the meta tag. 
Instead, you have to use the HTTP header, which means the document is in the
sandbox from the start.  IMHO, we should do the same thing here.

[jww, 2014/10/21 23:51:06]

I 100% agree. I should have mentioned this in my original comments, but for
experimental purposes, I am allowing <meta> suborigin creation for ease of use.
Definitely for the Real Thing, this is not acceptable, and it needs to be header
only. For now, bear with me on this, and I'll separately try to take a stab at
getting this to work header-only.

+<script>
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+}
+
+function iframeLoaded() {
+    var iframe = document.getElementById('iframe');
+    try {
+        var secret = iframe.contentWindow.secret;
+        alert("PASS: Secret is '" + secret + "'.");
+    } catch(e) {
+        alert('FAIL: Prevented from accessing the content of the iframe in the same suborigin.');
+    }
+    testRunner.notifyDone();
+}
+</script>
+<p>
+This tests whether a frame in a can access secrets in a frame in the same suborigin.
+</p>
+<iframe onload="iframeLoaded();" id="iframe" src="resources/suborigin-frame.html"></iframe>