[Backport] Fixed bug where PlzNavigate CSP in a iframe did not get the inherited CSP

When inheriting the CSP from a parent document to a local-scheme CSP,
it does not always get propagated to the PlzNavigate CSP. This means
that PlzNavigate CSP checks (like `frame-src`) would be ran against
a blank policy instead of the proper inherited policy.

Bug: 778658
Reviewed-on: https://chromium-review.googlesource.com/765969
Commit-Queue: Andy Paicu <andypaicu@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#518245}
(CVE-2018-6040)

Change-Id: Iaa11f67f950fc58c213a5f2c09ffeae41d5f8dac
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 2 insertions, 2 deletions

diff --git a/chromium/third_party/WebKit/Source/core/dom/Document.cpp b/chromium/third_party/WebKit/Source/core/dom/Document.cpp
index a39067db8c5..871d1b10fc5 100644
--- a/chromium/third_party/WebKit/Source/core/dom/Document.cpp
+++ b/chromium/third_party/WebKit/Source/core/dom/Document.cpp
@@ -5908,6 +5908,8 @@ void Document::InitContentSecurityPolicy(
     const ContentSecurityPolicy* policy_to_inherit) {
   SetContentSecurityPolicy(csp ? csp : ContentSecurityPolicy::Create());
 
+  GetContentSecurityPolicy()->BindToExecutionContext(this);
+
   // We inherit the parent/opener's CSP for documents with "local" schemes:
   // 'about', 'blob', 'data', and 'filesystem'. We also inherit CSP for
   // documents with empty/invalid URLs because we treat those URLs as
@@ -5937,8 +5939,6 @@ void Document::InitContentSecurityPolicy(
   // regardless of URL.
   if (policy_to_inherit && IsPluginDocument())
     GetContentSecurityPolicy()->CopyPluginTypesFrom(policy_to_inherit);
-
-  GetContentSecurityPolicy()->BindToExecutionContext(this);
 }
 
 bool Document::IsSecureTransitionTo(const KURL& url) const {