PlzNavigate: Do not disclose urls between cross-origin renderers.

content/common/content_security_policy/csp_context.h

Index: content/common/content_security_policy/csp_context.h
diff --git a/content/common/content_security_policy/csp_context.h b/content/common/content_security_policy/csp_context.h
index cc5f3b50873a7a62ce363cf3cf9f14f74ce28827..0eaae78aabca9546c337bb344fd93180685b31c1 100644
--- a/content/common/content_security_policy/csp_context.h
+++ b/content/common/content_security_policy/csp_context.h
@@ -55,6 +55,17 @@ class CONTENT_EXPORT CSPContext {
 
   virtual bool SchemeShouldBypassCSP(const base::StringPiece& scheme);
 
+  // For security reasons, some urls must not be disclosed. It includes the

[alexmos, 2017/05/12 01:37:20]

nit: disclosed -> disclosed cross-origin in violation reports.

[arthursonzogni, 2017/05/15 12:20:46]

Done.

+  // blocked url and the url of the initiator of the navigation. These
+  // informations are potentially transmitted between different renderer

[alexmos, 2017/05/12 01:37:20]

nit: These informations are -> This information is

[arthursonzogni, 2017/05/15 12:20:46]

Done.

+  // processes. When this function returns true, only the url's origin is
+  // displayed instead.
+  // TODO(arthursonzogni): Stop hidding sensitive parts of URLs in console

[alexmos, 2017/05/12 01:37:20]

nit: s/hidding/hiding/

[arthursonzogni, 2017/05/15 12:20:46]

Done.

+  // error message as soon as there is a way to send it to the devtool process

[alexmos, 2017/05/12 01:37:20]

nit: s/message/messages/
s/devtool/devtools/

[arthursonzogni, 2017/05/15 12:20:46]

Done.

+  // without the round trip in the renderer process.
+  // See https://crbug.com/721329
+  virtual bool ShouldProtectDataInCspViolation(const url::Origin& origin) const;
+
  private:
   bool has_self_ = false;
   std::string self_scheme_;