CSP: Use a specified frame for reporting 'frame-ancestors' violations.

CSP: Use a specified frame for reporting 'frame-ancestors' violations.

We don't have an ExecutionContext when dealing with 'frame-ancestors'
violations. This patch uses the LocalFrame which we pass into
allowAncestors in order to provide hooks for both PingLoader and
ConsoleMessages.

It also fiddles a bit with the reporting data, as we'd otherwise suggest
that 'about:blank' failed to load (as that's the initial contents of a
frame before we navigate to a document).

BUG=412725
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=181910

[Mike West, 2014-09-10 11:50:56]

mkwst@chromium.org changed reviewers:
+ jochen@chromium.org, philipj@opera.com, sigbjornf@opera.com

[Mike West, 2014-09-10 11:50:56]

This depends on a few other CLs, I'll throw it to the bots when they land.

-mike

[philipj_slow, 2014-09-12 08:35:46]

This was simple enough, LGTM with nits. I don't have the experience with CSP to
catch any subtle issues, though.

https://codereview.chromium.org/553423002/diff/1/Source/core/frame/csp/Conten...
File Source/core/frame/csp/ContentSecurityPolicy.cpp (right):

https://codereview.chromium.org/553423002/diff/1/Source/core/frame/csp/Conten...
Source/core/frame/csp/ContentSecurityPolicy.cpp:699: // If we have a context
frame we're dealing with 'frame-ancestors' and we don't have our
This is a little indirect, could something like "ASSERT(!!contextFrame ==
!document())" be added to show that it holds true? Even better if "we're dealing
with 'frame-ancestors'" could be asserted directly, but I don't know if that's
possible here.

https://codereview.chromium.org/553423002/diff/1/Source/core/frame/csp/Conten...
Source/core/frame/csp/ContentSecurityPolicy.cpp:700: // own document. Use the
frame's document complete the endpoint URL, overriding its URL
document *to* complete?

[Mike West, 2014-09-12 11:27:27]

I've added ASSERTs which verify that we _either_ have a contextFrame _or_ an
ExecutionContext, but not both, and that we're dealing with a frame-ancestors
directive.

Thanks!

https://codereview.chromium.org/553423002/diff/1/Source/core/frame/csp/Conten...
File Source/core/frame/csp/ContentSecurityPolicy.cpp (right):

https://codereview.chromium.org/553423002/diff/1/Source/core/frame/csp/Conten...
Source/core/frame/csp/ContentSecurityPolicy.cpp:699: // If we have a context
frame we're dealing with 'frame-ancestors' and we don't have our
On 2014/09/12 08:35:46, philipj wrote:
> This is a little indirect, could something like "ASSERT(!!contextFrame ==
> !document())" be added to show that it holds true? Even better if "we're
dealing
> with 'frame-ancestors'" could be asserted directly, but I don't know if that's
> possible here.

Done.

https://codereview.chromium.org/553423002/diff/1/Source/core/frame/csp/Conten...
Source/core/frame/csp/ContentSecurityPolicy.cpp:700: // own document. Use the
frame's document complete the endpoint URL, overriding its URL
On 2014/09/12 08:35:46, philipj wrote:
> document *to* complete?

Done.

[Mike West, 2014-09-12 11:27:32]

The CQ bit was checked by mkwst@chromium.org

[commit-bot: I haz the power, 2014-09-12 11:30:38]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patchset/553423002/20001

[Mike West, 2014-09-12 11:32:33]

The CQ bit was checked by mkwst@chromium.org

[Mike West, 2014-09-12 11:32:33]

The CQ bit was unchecked by mkwst@chromium.org

[Mike West, 2014-09-12 15:12:34]

The CQ bit was checked by mkwst@chromium.org

[commit-bot: I haz the power, 2014-09-12 15:13:35]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patchset/553423002/20001

[commit-bot: I haz the power, 2014-09-12 15:14:19]

Committed patchset #2 (id:20001) as 181910