Make mixed content checking and CSP aware of RemoteFrames

Source/core/frame/csp/CSPDirectiveList.cpp

Index: Source/core/frame/csp/CSPDirectiveList.cpp
diff --git a/Source/core/frame/csp/CSPDirectiveList.cpp b/Source/core/frame/csp/CSPDirectiveList.cpp
index a9e8f99bde697f8a000eb907c7c568f00be61ad9..4ea6b5046615a3ee61c4d4b570ab1ac00f98ff84 100644
--- a/Source/core/frame/csp/CSPDirectiveList.cpp
+++ b/Source/core/frame/csp/CSPDirectiveList.cpp
@@ -92,8 +92,9 @@ bool CSPDirectiveList::checkAncestors(SourceListDirective* directive, LocalFrame
     if (!frame || !directive)
         return true;
 
-    for (LocalFrame* current = frame->tree().parent(); current; current = current->tree().parent()) {
-        if (!directive->allows(current->document()->url()))
+    for (Frame* current = frame->tree().parent(); current; current = current->tree().parent()) {
+        // FIXME: To make this work for out-of-process iframes, we need to propagate URL information of ancestor frames across processes.
+        if (!current->isLocalFrame() || !directive->allows(toLocalFrame(current)->document()->url()))

[dcheng, 2014/05/29 21:45:28]

Should we make these security checks fail open for now? RemoteFrame is not going
to be a shipping configuration for some time, and if it fails closed, it might
make development harder for us.

             return false;
     }
     return true;