CSP: Adding the 'upgrade-insecure-requests' directive.

Source/core/loader/FrameLoader.cpp

Index: Source/core/loader/FrameLoader.cpp
diff --git a/Source/core/loader/FrameLoader.cpp b/Source/core/loader/FrameLoader.cpp
index 64701ab3aa37ded93480739484ba1185ef8bd5a1..a97a0ac6c8b099a695d81ea2b6a802b381f78c1c 100644
--- a/Source/core/loader/FrameLoader.cpp
+++ b/Source/core/loader/FrameLoader.cpp
@@ -1402,4 +1402,18 @@ bool FrameLoader::shouldEnforceStrictMixedContentChecking() const
     return toLocalFrame(parentFrame)->document()->shouldEnforceStrictMixedContentChecking();
 }
 
+SecurityContext::InsecureContentPolicy FrameLoader::insecureContentPolicy() const
+{
+    Frame* parentFrame = m_frame->tree().parent();
+    if (!parentFrame)
+        return SecurityContext::InsecureContentIgnore;
+
+    // FIXME: We need a way to propagate insecure content policy flags to
+    // out-of-process frames. For now, we'll always upgrade.
+    if (!parentFrame->isLocalFrame())
+        return SecurityContext::InsecureContentUpgrade;

[Yoav Weiss, 2015/02/05 13:25:36]

Why always upgrade? Isn't ignoring the safer option if we don't know what to do?

[Mike West, 2015/02/05 13:39:34]

I suppose so. *shrug* I'll change it. :)

+
+    return toLocalFrame(parentFrame)->document()->insecureContentPolicy();
+}
+
 } // namespace blink