Part 3.2: Is policy list subsumed under subsuming policy?

third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "core/frame/csp/SourceListDirective.h"
 
 #include "core/dom/Document.h"
 #include "core/frame/csp/CSPSource.h"
 #include "core/frame/csp/ContentSecurityPolicy.h"
 #include "platform/network/ResourceRequest.h"
@@ skipping 19 matching lines @@
   };
 
   virtual void SetUp() {
     KURL secureURL(ParsedURLString, "https://example.test/image.png");
     RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(secureURL));
     document = Document::create();
     document->setSecurityOrigin(secureOrigin);
     csp->bindToExecutionContext(document.get());
   }
 
+  ContentSecurityPolicy* SetUpWithOrigin(const String& origin) {
+    KURL secureURL(ParsedURLString, origin);
+    RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(secureURL));
+    Document* document = Document::create();
+    document->setSecurityOrigin(secureOrigin);
+    ContentSecurityPolicy* csp = ContentSecurityPolicy::create();
+    csp->setupSelf(*SecurityOrigin::createFromString(origin));
+    return csp;
+  }
+
   bool equalSources(const Source& a, const Source& b) {
     return a.scheme == b.scheme && a.host == b.host && a.port == b.port &&
            a.path == b.path && a.hostWildcard == b.hostWildcard &&
            a.portWildcard == b.portWildcard;
   }
 
   Persistent<ContentSecurityPolicy> csp;
   Persistent<Document> document;
 };
 
@@ skipping 380 matching lines @@
     EXPECT_EQ(required.subsumes(returned), test.expected);
 
     // If required is empty, any returned should be subsumed by it.
     SourceListDirective requiredIsEmpty("script-src", "", csp.get());
     EXPECT_TRUE(
         requiredIsEmpty.subsumes(HeapVector<Member<SourceListDirective>>()));
     EXPECT_TRUE(requiredIsEmpty.subsumes(returned));
   }
 }
 
+TEST_F(SourceListDirectiveTest, SubsumesWithSelf) {
+  SourceListDirective A("script-src",
+                        "http://example1.com/foo/ http://*.example2.com/bar/ "
+                        "http://*.example3.com:*/bar/ 'self'",
+                        csp.get());
+
+  struct TestCase {
+    std::vector<String> sourcesB;
+    const String& originB;
+    bool expected;
+  } cases[] = {
+      // "https://example.test/" is a secure origin for both A and B.
+      {{"'self'"}, "https://example.test/", true},
+      {{"'self' 'self' 'self'"}, "https://example.test/", true},
+      {{"'self'", "'self'", "'self'"}, "https://example.test/", true},
+      {{"'self'", "'self'", "https://*.example.test/"},
+       "https://example.test/",
+       true},
+      {{"'self'", "'self'", "https://*.example.test/bar/"},
+       "https://example.test/",
+       true},
+      {{"'self' https://another.test/bar", "'self' http://*.example.test/bar",
+        "https://*.example.test/bar/"},
+       "https://example.test/",
+       true},
+      {{"http://example1.com/foo/ 'self'"}, "https://example.test/", true},
+      {{"http://example1.com/foo/ https://example.test/"},
+       "https://example.test/",
+       true},
+      {{"http://example1.com/foo/ http://*.example2.com/bar/"},
+       "https://example.test/",
+       true},
+      {{"http://example1.com/foo/ http://*.example2.com/bar/ "
+        "http://*.example3.com:*/bar/ https://example.test/"},
+       "https://example.test/",
+       true},
+      {{"http://example1.com/foo/ http://*.example2.com/bar/ "
+        "http://*.example3.com:*/bar/ 'self'"},
+       "https://example.test/",
+       true},
+      {{"'self'", "'self'", "https://example.test/"},
+       "https://example.test/",
+       true},
+      {{"'self'", "https://example.test/folder/"},
+       "https://example.test/",
+       true},
+      {{"'self'", "http://example.test/folder/"},
+       "https://example.test/",
+       true},
+      {{"'self' https://example.com/", "https://example.com/"},
+       "https://example.test/",
+       false},
+      {{"http://example1.com/foo/ http://*.example2.com/bar/",
+        "http://example1.com/foo/ http://*.example2.com/bar/ 'self'"},
+       "https://example.test/",
+       true},
+      {{"http://*.example1.com/foo/", "http://*.example1.com/foo/ 'self'"},
+       "https://example.test/",
+       false},
+      {{"https://*.example.test/", "https://*.example.test/ 'self'"},
+       "https://example.test/",
+       false},
+      {{"http://example.test/"}, "https://example.test/", false},
+      // Origins of A and B do not match.
+      {{"'self'"}, "https://other-origin.test/", true},
+      {{"https://example.test/"}, "https://other-origin.test/", false},
+      {{"http://example1.com/foo/ http://*.example2.com/bar/ "
+        "http://*.example3.com:*/bar/ 'self'"},
+       "https://other-origin.test/",
+       true},
+      {{"http://example1.com/foo/ http://*.example2.com/bar/ "
+        "http://*.example3.com:*/bar/ https://other-origin.test/"},
+       "https://other-origin.test/",
+       true},
+      {{"http://example1.com/foo/ 'self'"}, "https://other-origin.test/", true},
+      {{"'self'", "https://example.test/"}, "https://other-origin.test/", true},
+      {{"'self' https://example.test/", "https://example.test/"},
+       "https://other-origin.test/",
+       false},
+      {{"https://example.test/", "http://example.test/"},
+       "https://other-origin.test/",
+       false},
+      {{"'self'", "http://other-origin.test/"},
+       "https://other-origin.test/",
+       true},
+      {{"'self'", "https://example.test/"}, "https://other-origin.test/", true},
+      // B's origin matches one of sources in the source list of A.
+      {{"'self'", "http://*.example1.com/foo/"}, "http://example1.com/", true},
+      {{"http://*.example2.com/bar/", "'self'"},
+       "http://example2.com/bar/",
+       true},
+      {{"'self' http://*.example1.com/foo/", "http://*.example1.com/foo/"},
+       "http://example1.com/",
+       false},
+      {{"http://*.example2.com/bar/ http://example1.com/",
+        "'self' http://example1.com/"},
+       "http://example2.com/bar/",
+       false},
+  };
+
+  for (const auto& test : cases) {
+    ContentSecurityPolicy* cspB = SetUpWithOrigin(test.originB);

[Mike West, 2016/11/30 13:24:20]

It will be easier to debug the failing bot if you add a `SCOPED_TRACE` that
tells you which item is failing. Right now, you've got basically nothing to go
on. :(

+
+    HeapVector<Member<SourceListDirective>> vectorB;
+    for (const auto& sources : test.sourcesB) {
+      SourceListDirective* member =
+          new SourceListDirective("script-src", sources, cspB);
+      vectorB.append(member);
+    }
+
+    EXPECT_EQ(A.subsumes(vectorB), test.expected);
+  }
+}
+
 }  // namespace blink