Added validation of the policy specified in the 'csp' attribute

third_party/WebKit/Source/core/html/HTMLIFrameElement.cpp

Index: third_party/WebKit/Source/core/html/HTMLIFrameElement.cpp
diff --git a/third_party/WebKit/Source/core/html/HTMLIFrameElement.cpp b/third_party/WebKit/Source/core/html/HTMLIFrameElement.cpp
index 89a15795c0c9336e5b6a26d2479acd206e677bab..292ea1f6b3e015e15bf26f35d99327e74a9d1faf 100644
--- a/third_party/WebKit/Source/core/html/HTMLIFrameElement.cpp
+++ b/third_party/WebKit/Source/core/html/HTMLIFrameElement.cpp
@@ -27,6 +27,7 @@
 #include "core/CSSPropertyNames.h"
 #include "core/HTMLNames.h"
 #include "core/frame/UseCounter.h"
+#include "core/frame/csp/CSPDirectiveList.h"
 #include "core/html/HTMLDocument.h"
 #include "core/inspector/ConsoleMessage.h"
 #include "core/layout/LayoutIFrame.h"
@@ -167,12 +168,16 @@ void HTMLIFrameElement::ParseAttribute(
     }
   } else if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() &&
              name == cspAttr) {
-    // TODO(amalika): add more robust validation of the value
-    if (!value.GetString().ContainsOnlyASCII()) {
+    if (!CSPDirectiveList::IsValid(

[Mike West, 2017/05/29 07:46:21]

If you have a method on `ContentSecurityPolicy` itself, why do you need to
expose/use the version on CSPDirectiveList?

+            value.GetString(),
+            ContentSecurityPolicyHeaderType::
+                kContentSecurityPolicyHeaderTypeEnforce,
+            ContentSecurityPolicyHeaderSource::
+                kContentSecurityPolicyHeaderSourceHTTP)) {
       csp_ = g_null_atom;
       GetDocument().AddConsoleMessage(ConsoleMessage::Create(
           kOtherMessageSource, kErrorMessageLevel,
-          "'csp' attribute contains non-ASCII characters: " + value));
+          "'csp' attribute is not a valid policy: " + value));
       return;
     }
     AtomicString old_csp = csp_;