Part 3.1: Is policy list subsumed under subsuming policy?

third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp

Index: third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
index 4bdfefc6cc7a7147cdca93bbf6659dc25093bb0f..f78b559b1264ac532d3677b3ad727a824c7f4ee2 100644
--- a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
@@ -1142,6 +1142,98 @@ void CSPDirectiveList::addDirective(const String& name, const String& value) {
   }
 }
 
+SourceListDirective* CSPDirectiveList::getSourceListDirective(
+    const char* name) {
+  if (name == ContentSecurityPolicy::BaseURI)
+    return m_baseURI.get();
+  if (name == ContentSecurityPolicy::ChildSrc)
+    return m_childSrc.get();
+  if (name == ContentSecurityPolicy::ConnectSrc)
+    return m_connectSrc.get();
+  if (name == ContentSecurityPolicy::FontSrc)
+    return m_fontSrc.get();
+  if (name == ContentSecurityPolicy::FormAction)
+    return m_formAction.get();
+  if (name == ContentSecurityPolicy::FrameAncestors)
+    return m_frameAncestors.get();
+  if (name == ContentSecurityPolicy::FrameSrc)
+    return m_frameSrc.get();
+  if (name == ContentSecurityPolicy::ImgSrc)
+    return m_imgSrc.get();
+  if (name == ContentSecurityPolicy::MediaSrc)
+    return m_mediaSrc.get();
+  if (name == ContentSecurityPolicy::ManifestSrc)
+    return m_manifestSrc.get();
+  if (name == ContentSecurityPolicy::ObjectSrc)
+    return m_objectSrc.get();
+  if (name == ContentSecurityPolicy::ScriptSrc)
+    return m_scriptSrc.get();
+  if (name == ContentSecurityPolicy::StyleSrc)
+    return m_styleSrc.get();
+  if (name == ContentSecurityPolicy::WorkerSrc)
+    return m_workerSrc.get();
+
+  return nullptr;
+}
+
+SourceListDirectiveVector CSPDirectiveList::getSourceVector(
+    const char* name,
+    CSPDirectiveListVector policies) {
+  SourceListDirectiveVector sourceListDirectives;
+  for (const auto& policy : policies) {
+    SourceListDirective* directive = policy->getSourceListDirective(name);
+
+    if (name == ContentSecurityPolicy::FrameSrc) {
+      // m_frameSrc defaults to m_childSrc, which defaults to m_defaultSrc.
+      directive = policy->operativeDirective(
+          directive, policy->operativeDirective(policy->m_childSrc.get()));
+    } else if (String(name).endsWith("src")) {

[amalika, 2016/11/21 15:57:06]

Another approach would be to define an enum (such as `DefaultBehavior` enum in
tests), a method that would map directives to their default behaviour and then
have a switch here instead.

[Mike West, 2016/11/23 11:19:02]

Or do the work in `getSourceListDirective` instead. That is:

```
if (name == whatever)
  return operativeDirective(m_whatever);
if (name == whatever2)
  return operativeDirective(m_whatever2, operativeDirective(m_whatever3));
```

+      // All directives that end with "src" default to m_defaultSrc.
+      directive = policy->operativeDirective(directive);
+    }
+
+    if (directive)
+      sourceListDirectives.append(directive);
+  }
+
+  return sourceListDirectives;
+}
+
+bool CSPDirectiveList::subsumes(CSPDirectiveListVector other) {
+  const char* directives[] = {
+      // Fetch Directives
+      ContentSecurityPolicy::ChildSrc, ContentSecurityPolicy::ConnectSrc,
+      ContentSecurityPolicy::FontSrc, ContentSecurityPolicy::FrameSrc,
+      ContentSecurityPolicy::ImgSrc, ContentSecurityPolicy::ManifestSrc,
+      ContentSecurityPolicy::MediaSrc, ContentSecurityPolicy::ObjectSrc,
+      ContentSecurityPolicy::ScriptSrc, ContentSecurityPolicy::StyleSrc,
+      ContentSecurityPolicy::WorkerSrc,
+      // Document Directives
+      ContentSecurityPolicy::BaseURI,
+      // Navigation Directives
+      ContentSecurityPolicy::FrameAncestors, ContentSecurityPolicy::FormAction};
+
+  for (const auto& directive : directives) {
+    // There should only be one SourceListDirective for each directive in
+    // Embedding-CSP.
+    SourceListDirectiveVector requiredList =
+        getSourceVector(directive, CSPDirectiveListVector(1, this));
+    if (requiredList.size() == 0)
+      continue;
+    SourceListDirective* required = requiredList[0];
+    // Aggregate all serialized source lists of the returned CSP into a vector
+    // based on a directive type, defaulting accordingly (for example, to
+    // `default-src`).
+    SourceListDirectiveVector returned = getSourceVector(directive, other);
+    // TODO(amalika): Add checks for plugin-types, sandbox, disown-opener,
+    // navigation-to, worker-src.
+    if (!required->subsumes(returned))
+      return false;
+  }
+
+  return true;
+}
+
 DEFINE_TRACE(CSPDirectiveList) {
   visitor->trace(m_policy);
   visitor->trace(m_pluginTypes);