[FeaturePolicy] Initial implementation of Feature Policy

third_party/WebKit/Source/platform/feature_policy/FeaturePolicy.h

Index: third_party/WebKit/Source/platform/feature_policy/FeaturePolicy.h
diff --git a/third_party/WebKit/Source/platform/feature_policy/FeaturePolicy.h b/third_party/WebKit/Source/platform/feature_policy/FeaturePolicy.h
new file mode 100644
index 0000000000000000000000000000000000000000..147e32810cc81a11f325f3c12303acc7f820d764
--- /dev/null
+++ b/third_party/WebKit/Source/platform/feature_policy/FeaturePolicy.h
@@ -0,0 +1,140 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef FeaturePolicy_h
+#define FeaturePolicy_h
+
+#include "platform/PlatformExport.h"
+#include "platform/heap/Handle.h"
+#include "platform/weborigin/SecurityOrigin.h"
+#include "wtf/RefPtr.h"
+#include "wtf/Vector.h"
+#include "wtf/text/WTFString.h"
+
+namespace blink {
+
+// The FeaturePolicyFeatureDefault enum defines the default enable state for a
+// feature when neither it nor any parent frame have declared an explicit
+// policy. The three possibilities map directly to Feature Policy Whitelist
+// semantics.
+enum FeaturePolicyFeatureDefault {
+  // Equivalent to []. The feature is never available by default, and can only
+  // be enabled by an explicit policy.
+  kDisableFeatureForAllOrigins,
+
+  // Equivalent to ["self"]. The feature is enabled for top-level frames, but

[raymes, 2016/10/18 02:42:31]

nit: I think "top-level" is a bit misleading, because it specifically means the
main frame. How about "the current frame".

[iclelland, 2016/10/19 12:51:55]

I think that's the point, though -- it's not true that it's "granted for the
current frame if neither the current frame nor any ancestor frames have declared
an explicit policy", which is how that would read. If the default is "self",
then it's available by default at the top level, but must be explicitly
delegated.

The "self" keyword is evaluated once, in the main frame, where it is expanded to
that frame's origin. After that, the usual inheritance rules apply.

[raymes, 2016/10/19 23:47:36]

I guess my main concern with the wording was that it only says something about
how the default affects the top-level frame. But defaults don't only have an
impact on the top-level frame, right? Don't they impact all frames? How do we
express the impact "self" would have on an arbitrarily nested frame that relied
on a default as opposed to specifying a whitelist?

I think I was taking the perspective of a developer who is thinking about their
page that might be arbitrarily embedded. They would ask the question "how will
this default affect my page if I don't override it?". That led to my suggestion:
"The feature will be enabled for the current frame, but not for any child
frames". Of course this depends on the current frame having access to the
feature in the first place (which I omitted :)

[iclelland, 2016/10/21 13:38:25]

The wording is wrong, now that I've given it some more thought; I was
considering only cross-origin frame inclusion. The actual effect of default:self
is that the feature is enabled by default at the top-level, but that does not
persist across origin boundaries. Every time you include a cross-origin frame,
you need to explicitly grant the new frame access to the feature.
I've updated the wording, and added a new test case for that as well.

+  // must be delegated to child frames in order for them to have access.
+  kEnableFeatureForSelf,
+
+  // Equivalent to ["*"]. The feature is enabled by default for all frames, but

[raymes, 2016/10/18 02:42:31]

all frames->for the current frame and all child frames ?

[iclelland, 2016/10/21 13:38:25]

I don't think "the current frame" means anything when you're declaring the
default policy for a feature, though. If you set the default to ["*"], you're
enabling the feature by default for all frames.

+  // can be disabled through policy by any frame, at which point it cannot be
+  // reenabled by any of that frame's children.

[raymes, 2016/10/18 02:42:31]

nit: these 2 lines are a little confusing. I think the first line is sufficient
and the algorithm can be studied to determine the behavior when defaults are
overridden. 

[iclelland, 2016/10/21 13:38:25]

Done.

+  kEnableFeatureForAllOrigins
+};
+
+// The FeaturePolicyFeature struct is used to define all features under control
+// of Feature Policy. There should only be one instance of this struct for any
+// given feature (declared below.)

[raymes, 2016/10/18 02:42:31]

nit: declared below).

[iclelland, 2016/10/19 12:51:55]

Done.

+struct FeaturePolicyFeature {
+  // The name of the feature, as it should appear in a policy string
+  const char* featureName;
+
+  // Controls whether the feature should be available in the platform by
+  // default, in the absence of any declared policy.
+  FeaturePolicyFeatureDefault defaultPolicy;
+};
+
+// Declarations for all features currently under control of the Feature Policy
+// mechanism should be placed here.
+extern const PLATFORM_EXPORT FeaturePolicyFeature kDocumentCookie;
+extern const PLATFORM_EXPORT FeaturePolicyFeature kDocumentDomain;
+extern const PLATFORM_EXPORT FeaturePolicyFeature kDocumentWrite;
+extern const PLATFORM_EXPORT FeaturePolicyFeature kGeolocationFeature;
+extern const PLATFORM_EXPORT FeaturePolicyFeature kMidiFeature;
+extern const PLATFORM_EXPORT FeaturePolicyFeature kNotificationsFeature;
+extern const PLATFORM_EXPORT FeaturePolicyFeature kPaymentFeature;
+extern const PLATFORM_EXPORT FeaturePolicyFeature kPushFeature;
+extern const PLATFORM_EXPORT FeaturePolicyFeature kSyncScript;
+extern const PLATFORM_EXPORT FeaturePolicyFeature kSyncXHR;
+extern const PLATFORM_EXPORT FeaturePolicyFeature kUsermedia;
+extern const PLATFORM_EXPORT FeaturePolicyFeature kVibrateFeature;
+extern const PLATFORM_EXPORT FeaturePolicyFeature kWebRTC;
+
+class PLATFORM_EXPORT FeaturePolicy final
+    : public GarbageCollectedFinalized<FeaturePolicy> {
+ public:
+  static FeaturePolicy* createFromParentPolicy(const FeaturePolicy* parent,
+                                               RefPtr<SecurityOrigin>);
+
+  // Adds a policy to a frame, taking into account any existing or default
+  // policy which applies.
+  void addPolicyFromString(const String& policy);
+
+  // Returns whether or not the given feature is enabled by this policy.
+  bool isFeatureEnabledForOrigin(const FeaturePolicyFeature*,
+                                 const SecurityOrigin*) const;
+
+  // Returns whether or not the given feature is enabled for the policy's

[raymes, 2016/10/18 02:42:31]

nit: for the origin of the frame that owns the policy.

[iclelland, 2016/10/19 12:51:55]

Done.

+  // origin.
+  bool isFeatureEnabled(const FeaturePolicyFeature*) const;
+
+  // Returns the global feature registry; the set of all features which can be
+  // controlled by Feature Policy.
+  static Vector<const FeaturePolicyFeature*>& getFeatureRegistry();
+
+  String toString();
+
+  DECLARE_VIRTUAL_TRACE();
+
+ private:
+  // Represents a collection of origins which make up a whitelist in a feature
+  // policy. This collection may be set to match every origin (corresponding to
+  // the "*" syntax in the policy string, in which case the contains() method
+  // will always return true.
+  class Whitelist final : public GarbageCollectedFinalized<Whitelist> {
+   public:
+    Whitelist();
+
+    // Adds a single origin to the whitelist.
+    void add(RefPtr<SecurityOrigin>);
+
+    // Adds all origins to the whitelist.
+    void addAll();
+
+    // Returns true if the given origin has been added to the whitelist.
+    bool contains(const SecurityOrigin*) const;
+    String toString();
+
+    DEFINE_INLINE_VIRTUAL_TRACE() {}
+
+   private:
+    bool m_matchesAllOrigins;
+    Vector<RefPtr<SecurityOrigin>> m_origins;
+  };
+
+  explicit FeaturePolicy(PassRefPtr<SecurityOrigin>);
+
+  // Parses a policy string into a set of whitelists for features.
+  HeapHashMap<const FeaturePolicyFeature*, Member<Whitelist>> parse(
+      const String&);
+
+  RefPtr<SecurityOrigin> m_origin;
+
+  // Records whether or not each feature was enabled for this frame by its
+  // parent frame.
+  // TODO(iclelland): Generate, instead of this map, a set of bool flags, one
+  // for each feature, as all features are supposed to be represented here.
+  HashMap<const FeaturePolicyFeature*, bool> m_inheritedFeatures;
+
+  // Map of feature names to declared whitelists. Any feature which is missing
+  // from this map should use the inherited policy.
+  HeapHashMap<const FeaturePolicyFeature*, Member<Whitelist>>
+      m_declaredWhitelists;
+
+  DISALLOW_COPY_AND_ASSIGN(FeaturePolicy);
+};
+
+}  // namespace blink
+
+#endif  // FeaturePolicy_h