Replicate Content-Security-Policy into remote frame proxies.
After this CL, when a local frame parses a new CSP header (from http
headers, from <meta> element, or when copying CSP from the parent frame
in case of about:blank children), a notification will be sent all the
way to the browser. The browser will store the CSP accumulated headers
in FrameReplicationState and notify RenderFrameProxies.
RenderFrameProxy will take care of using CSP headers received from the
browser to fill out RemoteSecurityContext's ContentSecurityPolicy.
After this CL, frame-src is properly enforced when navigating a frame
when its parent is a remote frame proxy. For example, when running
http/tests/security/contentSecurityPolicy/frame-src-child-frame-navigates-to-blocked-origin.html
the subframe navigation is blocked after this CL. OTOH, we cannot yet
enable this test, because the console message about CSP violation is
currently dropped when CSP comes from a remote frame. To work around
this, a few regression tests are being added by this CL as browser
tests.
BUG=585501
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation
Review-Url: https://codereview.chromium.org/1957783002
Cr-Commit-Position: refs/heads/master@{#394200}
35 files changed
