Part 2.2: Is policy list subsumed under subsuming policy?

third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp

Index: third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
index c9f16700d83011311de3b31c057881a96761cb0b..e2fbc8b5e890cabac3dcff511ca9ad04e4815f3f 100644
--- a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
@@ -293,4 +293,93 @@ TEST_F(SourceListDirectiveTest, GetIntersectCSPSources) {
   }
 }
 
+TEST_F(SourceListDirectiveTest, Subsumes) {
+  KURL base;
+  String requiredSources =
+      "http://example1.com/foo/ http://*.example2.com/bar/ "
+      "http://*.example3.com:*/bar/";
+  SourceListDirective required("script-src", requiredSources, csp.get());
+
+  struct TestCase {
+    std::vector<String> sourcesVector;
+    bool expected;
+  } cases[] = {
+      // Returned is subsumed by required.

[Mike West, 2016/11/10 15:04:55]

s/Returned/|sourcesVector|/?

+      // Effective CSPSource list of returned is 0.

[Mike West, 2016/11/10 15:04:55]

Nit: "// Non-intersecting source lists give an effective policy of 'none', which
is always subsumed."

+      {{"http://example1.com/bar/", "http://*.example3.com:*/bar/"}, true},
+      {{"http://example1.com/bar/",
+        "http://*.example3.com:*/bar/ http://*.example2.com/bar/"},
+       true},
+      // Effective CSPSource list of returned is 1.

[Mike West, 2016/11/10 15:04:55]

Nit: // Lists that intersect into one of the required sources are subsumed."

+      {{"http://example1.com/foo/"}, true},
+      {{"http://*.example2.com/bar/"}, true},
+      {{"http://*.example3.com:*/bar/"}, true},
+      {{"https://example1.com/foo/",
+        "http://*.example1.com/foo/ http://*.example2.com/bar/"},
+       true},
+      {{"http://example2.com/bar/",
+        "http://*.example3.com:*/bar/ http://*.example2.com/bar/"},
+       true},
+      {{"http://example3.com:100/bar/",
+        "http://*.example3.com:*/bar/ http://*.example2.com/bar/"},
+       true},
+      // Effective CSPSource list of returned is 2.

[Mike West, 2016/11/10 15:04:55]

Nit: "// Lists that intersect into two of the required sources are subsumed."

+      {{"http://example1.com/foo/ http://*.example2.com/bar/"}, true},
+      {{"http://example1.com/foo/ http://example2.com/bar/",
+        "http://example2.com/bar/ http://example1.com/foo/"},
+       true},
+      // Width should not matter.

[Mike West, 2016/11/10 15:04:55]

s/Width/Ordering/?

+      {{"https://example1.com/foo/ https://example2.com/bar/",
+        "http://example2.com/bar/ http://example1.com/foo/"},
+       true},
+      // Effective CSPSource list of returned is 3.

[Mike West, 2016/11/10 15:04:55]

Nit: "// Lists that intersect into a policy identical to the required list are
subsumed."

+      {{"http://example1.com/foo/ http://*.example2.com/bar/ "
+        "http://*.example3.com:*/bar/ http://example1.com/foo/"},
+       true},
+      {{"http://example1.com/foo/ http://*.example2.com/bar/ "
+        "http://*.example3.com:*/bar/"},
+       true},
+      {{"http://example1.com/foo/ http://*.example2.com/bar/ "
+        "http://*.example3.com:*/bar/",
+        "http://example1.com/foo/ http://*.example2.com/bar/ "
+        "http://*.example3.com:*/bar/ http://example4.com/foo/"},
+       true},
+      {{"http://example1.com/foo/ http://*.example2.com/bar/ "
+        "http://*.example3.com:*/bar/",
+        "http://example1.com/foo/ http://*.example2.com/bar/ "
+        "http://*.example3.com:*/bar/ http://example1.com/foo/"},
+       true},
+      // Returned is NOT subsumed by required.
+      // Effective CSPSource list of returned is > 0.

[Mike West, 2016/11/10 15:04:55]

Nit: "// Lists that include sources that aren't subsumed by the required list
are not subsumed."

+      {{"http://example1.com/foo/ http://*.example2.com/bar/ "
+        "http://*.example3.com:*/bar/ http://*.example4.com:*/bar/"},
+       false},
+      {{"http://example1.com/foo/ http://example2.com/foo/"}, false},
+      {{"http://*.example1.com/bar/", "http://example1.com/bar/"}, false},
+      {{"http://*.example1.com/foo/"}, false},
+      {{"wss://example2.com/bar/"}, false},
+      {{"http://*.non-example3.com:*/bar/"}, false},
+      {{"http://example3.com/foo/"}, false},
+      {{"http://not-example1.com", "http://not-example1.com"}, false},
+  };
+
+  for (const auto& test : cases) {
+    HeapVector<Member<SourceListDirective>> returned;
+
+    for (const auto& sources : test.sourcesVector) {
+      SourceListDirective* member =
+          new SourceListDirective("script-src", sources, csp.get());
+      returned.append(member);
+    }
+
+    EXPECT_EQ(required.subsumes(returned), test.expected);
+
+    // If required is empty or '*', any returned should be subsumed by it.
+    SourceListDirective requiredIsAStar("script-src", "*", csp.get());

[Mike West, 2016/11/10 15:04:55]

I don't think this is accurate, actually. `*` doesn't allow everything. You have
to opt-into `blob:` and custom schemes manually.

+    EXPECT_TRUE(
+        requiredIsAStar.subsumes(HeapVector<Member<SourceListDirective>>()));
+    EXPECT_TRUE(requiredIsAStar.subsumes(returned));
+  }
+}
+
 }  // namespace blink