Implement upgrade-insecure-requests in browser for frame requests

content/browser/frame_host/form_submission_throttle.cc

Index: content/browser/frame_host/form_submission_throttle.cc
diff --git a/content/browser/frame_host/form_submission_throttle.cc b/content/browser/frame_host/form_submission_throttle.cc
index 5784bbfa3317bd268e36176c8fa916481c357b03..5a235d8698ee0244657d5532963e8b7fc36b6e88 100644
--- a/content/browser/frame_host/form_submission_throttle.cc
+++ b/content/browser/frame_host/form_submission_throttle.cc
@@ -60,8 +60,12 @@ FormSubmissionThrottle::CheckContentSecurityPolicyFormAction(bool is_redirect) {
   RenderFrameHostImpl* render_frame =
       handle->frame_tree_node()->current_frame_host();
 
+  // TODO(estark): Move this check into NavigationRequest and split it into (1)
+  // check report-only CSP, (2) upgrade request if needed, (3) check enforced
+  // CSP to match how frame-src works. https://crbug.com/713388

[nasko, 2017/06/05 21:31:49]

Alternatively, we can see if it makes sense to have
NavigationThrottle/NavigationHandle gain functionality to allow updating of the
URL for such cases. It is easier if we have all the checks in throttles code
instead of having some in NavigaitonRequest and some in throttles. However, this
should have no impact on this CL, just thinking aloud about the comment.

[estark, 2017/06/06 19:16:14]

Acknowledged. I agree it could be nice to allow the throttle to do this logic,
since it's kind of weird to have this one check done here and other similar
checks in throttles. However, one challenge with that approach is that we'd have
to be careful about the order that throttles run in, because the throttle that
does the CSP upgrade would have to run, and be allowed to update the URL, before
the mixed content throttle.

   if (render_frame->IsAllowedByCsp(CSPDirective::FormAction, url, is_redirect,
-                                   handle->source_location())) {
+                                   handle->source_location(),
+                                   CSPContext::CHECK_ALL_CSP)) {
     return NavigationThrottle::PROCEED;
   }