Part 3.2: Is policy list subsumed under subsuming policy?

third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp

Index: third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
index 661ef7ff64d986812b9a7dc0ac5f15a794b47566..91a0d3f4a9b730de0881713623c0c87f091c6a79 100644
--- a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
@@ -37,6 +37,16 @@ class SourceListDirectiveTest : public ::testing::Test {
     csp->bindToExecutionContext(document.get());
   }
 
+  ContentSecurityPolicy* SetUpWithOrigin(const String& origin) {
+    KURL secureURL(ParsedURLString, origin);
+    RefPtr<SecurityOrigin> secureOrigin(SecurityOrigin::create(secureURL));
+    document = Document::create();
+    document->setSecurityOrigin(secureOrigin);
+    ContentSecurityPolicy* csp = ContentSecurityPolicy::create();
+    csp->bindToExecutionContext(document.get());
+    return csp;
+  }
+
   bool equalSources(const Source& a, const Source& b) {
     return a.scheme == b.scheme && a.host == b.host && a.port == b.port &&
            a.path == b.path && a.hostWildcard == b.hostWildcard &&
@@ -383,4 +393,120 @@ TEST_F(SourceListDirectiveTest, Subsumes) {
   }
 }
 
+TEST_F(SourceListDirectiveTest, SubsumesWithSelf) {
+  SourceListDirective A("script-src",
+                        "http://example1.com/foo/ http://*.example2.com/bar/ "
+                        "http://*.example3.com:*/bar/ 'self'",
+                        csp.get());
+
+  struct TestCase {
+    std::vector<String> sourcesB;
+    const String& originB;
+    bool expected;
+  } cases[] = {
+      // `self` of A and B match.

[Mike West, 2016/11/23 11:22:02]

Might be worth noting somewhere here that `'self'` will be
"https://example.test/".

[amalika, 2016/11/23 14:09:53]

Added!

+      {{"'self'"}, "https://example.test/", true},
+      {{"'self' 'self' 'self'"}, "https://example.test/", true},
+      {{"'self'", "'self'", "'self'"}, "https://example.test/", true},
+      {{"'self'", "'self'", "https://*.example.test/"},

[Mike West, 2016/11/23 11:22:02]

`*.example.text` doesn't match `example.test`, does it?

[amalika, 2016/11/23 14:09:53]

It is a vector of policies and since `self` is `example.test` w/o a wildcard,
normalized policy will be w/o a wildcard either even though one of the policies
has a wildcard.

+       "https://example.test/",
+       true},
+      {{"'self'", "'self'", "https://*.example.test/bar/"},
+       "https://example.test/",
+       true},
+      {{"'self' https://another.test/bar", "'self' http://*.example.test/bar",
+        "https://*.example.test/bar/"},
+       "https://example.test/",
+       true},
+      {{"http://example1.com/foo/ 'self'"}, "https://example.test/", true},
+      {{"http://example1.com/foo/ https://example.test/"},
+       "https://example.test/",
+       true},
+      {{"http://example1.com/foo/ http://*.example2.com/bar/"},
+       "https://example.test/",
+       true},
+      {{"http://example1.com/foo/ http://*.example2.com/bar/ "
+        "http://*.example3.com:*/bar/ https://example.test/"},
+       "https://example.test/",
+       true},
+      {{"http://example1.com/foo/ http://*.example2.com/bar/ "
+        "http://*.example3.com:*/bar/ 'self'"},
+       "https://example.test/",
+       true},
+      {{"'self'", "'self'", "https://example.test/"},
+       "https://example.test/",
+       true},
+      {{"'self'", "https://example.test/folder/"},
+       "https://example.test/",
+       true},
+      {{"'self'", "http://example.test/folder/"},
+       "https://example.test/",
+       true},
+      {{"'self' https://example.com/", "https://example.com/"},
+       "https://example.test/",
+       false},
+      {{"http://example1.com/foo/ http://*.example2.com/bar/",
+        "http://example1.com/foo/ http://*.example2.com/bar/ 'self'"},
+       "https://example.test/",
+       true},
+      {{"http://*.example1.com/foo/", "http://*.example1.com/foo/ 'self'"},
+       "https://example.test/",
+       false},
+      {{"https://*.example.test/", "https://*.example.test/ 'self'"},
+       "https://example.test/",
+       false},
+      {{"http://example.test/"}, "https://example.test/", false},
+      // `self` of A and B do not match.
+      {{"'self'"}, "https://other-origin.test/", false},
+      {{"https://example.test/"}, "https://other-origin.test/", true},
+      {{"http://example1.com/foo/ http://*.example2.com/bar/ "
+        "http://*.example3.com:*/bar/ 'self'"},
+       "https://other-origin.test/",
+       false},
+      {{"http://example1.com/foo/ http://*.example2.com/bar/ "
+        "http://*.example3.com:*/bar/ https://other-origin.test/"},
+       "https://other-origin.test/",
+       false},
+      {{"http://example1.com/foo/ 'self'"},
+       "https://other-origin.test/",
+       false},
+      {{"'self'", "http://other-origin.test/"},
+       "https://other-origin.test/",
+       false},
+      {{"'self'", "https://example.test/"}, "https://other-origin.test/", true},
+      // B's origin matches one of sources in the source list of A.
+      {{"'self'", "http://*.example1.com/foo/"}, "http://example1.com/", true},
+      {{"http://*.example2.com/bar/", "'self'"},
+       "http://example2.com/bar/",
+       true},
+      {{"'self' http://*.example1.com/foo/", "http://*.example1.com/foo/"},
+       "http://example1.com/",
+       false},
+      {{"http://*.example2.com/bar/ http://example1.com/",
+        "'self' http://example1.com/"},
+       "http://example2.com/bar/",
+       false},
+  };
+
+  SourceListDirective emptyA("script-src", "", csp.get());
+  // Empty SourceListDirective must subsume empty vector of
+  // SourceListDirectives.
+  EXPECT_TRUE(emptyA.subsumes(HeapVector<Member<SourceListDirective>>()));
+
+  for (const auto& test : cases) {
+    ContentSecurityPolicy* cspB = SetUpWithOrigin(test.originB);
+
+    HeapVector<Member<SourceListDirective>> vectorB;
+    for (const auto& sources : test.sourcesB) {
+      SourceListDirective* member =
+          new SourceListDirective("script-src", sources, cspB);
+      vectorB.append(member);
+    }
+
+    EXPECT_EQ(A.subsumes(vectorB), test.expected);
+    // If emptyA is empty, any vectorB should be subsumed by it.
+    EXPECT_TRUE(emptyA.subsumes(vectorB));
+  }
+}
+
 }  // namespace blink