chore: cherry-pick 8af66de55aad from chromium

[ppontes]

Limit length of 'csp' attribute

Most servers limit the length of request headers anywhere. 4Kb seems
like a reasonable limit, which some popular http servers have by
default, and which we already enforce for Referer
(https://crrev.com/c/1595872).

I would have liked the constant 4096 to be shared between //content
and blink. This would have required putting it somewhere like in
//services/network or in //third_party/blink/common, creating a new
file for it. I thought it would be easier to avoid that for this
change.

It would be safer to not load the iframe document, or to impose some
very strict CSP like "default-src 'none'", instead than just ignoring
the 'csp' attribute if that's too long. However, ignoring is what we
already do if the attribute contains illegal characters or does not
match the CSP grammary or is not subsumed by the parent iframe's csp
attribute. For this change, I believe it's better to stay consistent
with that, and later change the CSPEE code to block loading in all
those cases.

Bug: 1233067
Change-Id: Ie9cd3db82287a76892cca76a0bf0d4a1613a3055
Fixed: 1233067
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3057048
Commit-Queue: Antonio Sartori antoniosartori@chromium.org
Reviewed-by: Arthur Sonzogni arthursonzogni@chromium.org
Reviewed-by: Mike West mkwst@chromium.org
Cr-Commit-Position: refs/heads/main@{#914730}

Notes: Backported fix for CVE-2021-37989.

[release-clerk]

Release Notes Persisted

Backported fix for CVE-2021-37989.