Part 3.1: Is policy list subsumed under subsuming policy?

third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "core/frame/csp/CSPDirectiveList.h"
 
 #include "bindings/core/v8/SourceLocation.h"
 #include "core/dom/Document.h"
 #include "core/dom/SecurityContext.h"
 #include "core/dom/SpaceSplitString.h"
@@ skipping 1124 matching lines @@
                                ContentSecurityPolicy::TreatAsPublicAddress)) {
     treatAsPublicAddress(name, value);
   } else if (equalIgnoringCase(name, ContentSecurityPolicy::RequireSRIFor) &&
              m_policy->experimentalFeaturesEnabled()) {
     parseRequireSRIFor(name, value);
   } else {
     m_policy->reportUnsupportedDirective(name);
   }
 }
 
+SourceListDirective* CSPDirectiveList::getSourceListDirective(
+    const char* name) {
+  if (name == ContentSecurityPolicy::BaseURI)
+    return m_baseURI.get();
+  if (name == ContentSecurityPolicy::ChildSrc)
+    return m_childSrc.get();
+  if (name == ContentSecurityPolicy::ConnectSrc)
+    return m_connectSrc.get();
+  if (name == ContentSecurityPolicy::FontSrc)
+    return m_fontSrc.get();
+  if (name == ContentSecurityPolicy::FormAction)
+    return m_formAction.get();
+  if (name == ContentSecurityPolicy::FrameAncestors)
+    return m_frameAncestors.get();
+  if (name == ContentSecurityPolicy::FrameSrc)
+    return m_frameSrc.get();
+  if (name == ContentSecurityPolicy::ImgSrc)
+    return m_imgSrc.get();
+  if (name == ContentSecurityPolicy::MediaSrc)
+    return m_mediaSrc.get();
+  if (name == ContentSecurityPolicy::ManifestSrc)
+    return m_manifestSrc.get();
+  if (name == ContentSecurityPolicy::ObjectSrc)
+    return m_objectSrc.get();
+  if (name == ContentSecurityPolicy::ScriptSrc)
+    return m_scriptSrc.get();
+  if (name == ContentSecurityPolicy::StyleSrc)
+    return m_styleSrc.get();
+  if (name == ContentSecurityPolicy::WorkerSrc)
+    return m_workerSrc.get();
+
+  return nullptr;
+}
+
+SourceListDirectiveVector CSPDirectiveList::getSourceVector(
+    const char* name,
+    CSPDirectiveListVector policies) {
+  SourceListDirectiveVector sourceListDirectives;
+  for (const auto& policy : policies) {
+    SourceListDirective* directive = policy->getSourceListDirective(name);
+
+    if (name == ContentSecurityPolicy::FrameSrc) {
+      // m_frameSrc defaults to m_childSrc, which defaults to m_defaultSrc.
+      directive = policy->operativeDirective(
+          directive, policy->operativeDirective(policy->m_childSrc.get()));
+    } else if (String(name).endsWith("src")) {

[amalika, 2016/11/21 15:57:06]

Another approach would be to define an enum (such as `DefaultBehavior` enum in
tests), a method that would map directives to their default behaviour and then
have a switch here instead.

[Mike West, 2016/11/23 11:19:02]

Or do the work in `getSourceListDirective` instead. That is:

```
if (name == whatever)
  return operativeDirective(m_whatever);
if (name == whatever2)
  return operativeDirective(m_whatever2, operativeDirective(m_whatever3));
```

+      // All directives that end with "src" default to m_defaultSrc.
+      directive = policy->operativeDirective(directive);
+    }
+
+    if (directive)
+      sourceListDirectives.append(directive);
+  }
+
+  return sourceListDirectives;
+}
+
+bool CSPDirectiveList::subsumes(CSPDirectiveListVector other) {
+  const char* directives[] = {
+      // Fetch Directives
+      ContentSecurityPolicy::ChildSrc, ContentSecurityPolicy::ConnectSrc,
+      ContentSecurityPolicy::FontSrc, ContentSecurityPolicy::FrameSrc,
+      ContentSecurityPolicy::ImgSrc, ContentSecurityPolicy::ManifestSrc,
+      ContentSecurityPolicy::MediaSrc, ContentSecurityPolicy::ObjectSrc,
+      ContentSecurityPolicy::ScriptSrc, ContentSecurityPolicy::StyleSrc,
+      ContentSecurityPolicy::WorkerSrc,
+      // Document Directives
+      ContentSecurityPolicy::BaseURI,
+      // Navigation Directives
+      ContentSecurityPolicy::FrameAncestors, ContentSecurityPolicy::FormAction};
+
+  for (const auto& directive : directives) {
+    // There should only be one SourceListDirective for each directive in
+    // Embedding-CSP.
+    SourceListDirectiveVector requiredList =
+        getSourceVector(directive, CSPDirectiveListVector(1, this));
+    if (requiredList.size() == 0)
+      continue;
+    SourceListDirective* required = requiredList[0];
+    // Aggregate all serialized source lists of the returned CSP into a vector
+    // based on a directive type, defaulting accordingly (for example, to
+    // `default-src`).
+    SourceListDirectiveVector returned = getSourceVector(directive, other);
+    // TODO(amalika): Add checks for plugin-types, sandbox, disown-opener,
+    // navigation-to, worker-src.
+    if (!required->subsumes(returned))
+      return false;
+  }
+
+  return true;
+}
+
 DEFINE_TRACE(CSPDirectiveList) {
   visitor->trace(m_policy);
   visitor->trace(m_pluginTypes);
   visitor->trace(m_baseURI);
   visitor->trace(m_childSrc);
   visitor->trace(m_connectSrc);
   visitor->trace(m_defaultSrc);
   visitor->trace(m_fontSrc);
   visitor->trace(m_formAction);
   visitor->trace(m_frameAncestors);
   visitor->trace(m_frameSrc);
   visitor->trace(m_imgSrc);
   visitor->trace(m_mediaSrc);
   visitor->trace(m_manifestSrc);
   visitor->trace(m_objectSrc);
   visitor->trace(m_scriptSrc);
   visitor->trace(m_styleSrc);
   visitor->trace(m_workerSrc);
 }
 
 }  // namespace blink