Use correct Request Context when EMBED or OBJECT requests an image

When an OBJECT or EMBED element requests an image, it does so using
an ImageLoader. To ensure that Content-Security-Policy restrictions
are applied correctly in this scenario, we must adjust the request's
context to indicate the originating element.

Bug: 811691
Change-Id: I0fd8010970a12e68e845a54310695acc0b3f7625
Reviewed-on: https://chromium-review.googlesource.com/924589
Commit-Queue: Eric Lawrence <elawrence@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#537846}

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-image-url-blocked-expected.txt

+CONSOLE ERROR: Refused to load plugin data from 'http://127.0.0.1:8000/resources/square20.jpg' because it violates the following Content Security Policy directive: "object-src 'none'".
+
+This test passes if there is a console message saying the plugin was blocked. 

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-image-url-blocked.html

+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+</head>
+<body>
+This test passes if there is a console message saying the plugin was blocked.
+<embed src="/resources/square20.jpg"></embed>
+</body>
+</html>
+

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-image-url-blocked-expected.txt

+CONSOLE ERROR: Refused to load plugin data from 'http://127.0.0.1:8000/resources/square20.jpg' because it violates the following Content Security Policy directive: "object-src 'none'".
+
+This test passes if there is a console message saying the plugin was blocked.

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-image-url-blocked.html

+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+</head>
+<body>
+This test passes if there is a console message saying the plugin was blocked.
+<object data="/resources/square20.jpg"></object>
+</body>
+</html>
+

third_party/WebKit/Source/core/loader/ImageLoader.cpp

@@ -23,6 +23,8 @@
 #include "core/loader/ImageLoader.h"
 
 #include <memory>
+#include <utility>
+
 #include "bindings/core/v8/ExceptionState.h"
 #include "bindings/core/v8/ScriptController.h"
 #include "bindings/core/v8/V8BindingForCore.h"
@@ -391,10 +393,16 @@ void ImageLoader::DoUpdateFromElement(BypassMainWorldBehavior bypass_behavior,
           referrer_policy, url, document.OutgoingReferrer()));
     }
 
+    // Correct the RequestContext if necessary.
     if (IsHTMLPictureElement(GetElement()->parentNode()) ||
-        !GetElement()->FastGetAttribute(HTMLNames::srcsetAttr).IsNull())
+        !GetElement()->FastGetAttribute(HTMLNames::srcsetAttr).IsNull()) {
       resource_request.SetRequestContext(
           WebURLRequest::kRequestContextImageSet);
+    } else if (IsHTMLObjectElement(GetElement())) {
+      resource_request.SetRequestContext(WebURLRequest::kRequestContextObject);
+    } else if (IsHTMLEmbedElement(GetElement())) {
+      resource_request.SetRequestContext(WebURLRequest::kRequestContextEmbed);
+    }
 
     bool page_is_being_dismissed =
         document.PageDismissalEventBeingDispatched() != Document::kNoDismissal;