Part 4.1: Is policy list subsumed under subsuming policy?

third_party/WebKit/Source/core/loader/DocumentLoader.cpp

 /*
  * Copyright (C) 2006, 2007, 2008 Apple Inc. All rights reserved.
  * Copyright (C) 2011 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
@@ skipping 450 matching lines @@
   if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() &&
       !frameLoader()->requiredCSP().isEmpty()) {
     SecurityOrigin* parentSecurityOrigin =
         frame()->tree().parent()->securityContext()->getSecurityOrigin();
     if (ContentSecurityPolicy::shouldEnforceEmbeddersPolicy(
             response, parentSecurityOrigin)) {
       m_contentSecurityPolicy->addPolicyFromHeaderValue(
           frameLoader()->requiredCSP(), ContentSecurityPolicyHeaderTypeEnforce,
           ContentSecurityPolicyHeaderSourceHTTP);
     } else {
-      String message = "Refused to display '" + response.url().elidedString() +
-                       "' because it has not opted-into the following policy "
-                       "required by its embedder: '" +
-                       frameLoader()->requiredCSP() + "'.";
-      ConsoleMessage* consoleMessage = ConsoleMessage::createForRequest(
-          SecurityMessageSource, ErrorMessageLevel, message, response.url(),
-          mainResourceIdentifier());
-      frame()->document()->addConsoleMessage(consoleMessage);
-      cancelLoadAfterXFrameOptionsOrCSPDenied(response);
-      return;
+      ContentSecurityPolicy* embeddingCSP = ContentSecurityPolicy::create();
+      embeddingCSP->setOverrideURLForSelf(
+          KURL(ParsedURLString, parentSecurityOrigin->toString()));

[amalika, 2016/11/28 11:56:22]

Not sure if there should be other conversions applied on the string. In the
comments of KURL it mentions something about `KURL::string()`.

[Mike West, 2016/11/28 13:08:02]

What should this do in a sandboxed document (where the origin serializes to
`null`)?

[amalika, 2016/11/29 12:43:52]

Oh... hmm. Is there any other way we can learn the origin't kurl? Otherwise,
should we require that Embedding-CSP does not contain `self`?

+      embeddingCSP->addPolicyFromHeaderValue(
+          frameLoader()->requiredCSP(), ContentSecurityPolicyHeaderTypeEnforce,
+          ContentSecurityPolicyHeaderSourceHTTP);
+      if (!embeddingCSP->subsumes(*m_contentSecurityPolicy)) {
+        String message = "Refused to display '" +
+                         response.url().elidedString() +
+                         "' because it has not opted-into the following policy "
+                         "required by its embedder: '" +
+                         frameLoader()->requiredCSP() + "'.";
+        ConsoleMessage* consoleMessage = ConsoleMessage::createForRequest(
+            SecurityMessageSource, ErrorMessageLevel, message, response.url(),
+            mainResourceIdentifier());
+        frame()->document()->addConsoleMessage(consoleMessage);
+        cancelLoadAfterXFrameOptionsOrCSPDenied(response);
+        return;
+      }
     }
   }
 
   DCHECK(!m_frame->page()->defersLoading());
 
   m_response = response;
 
   if (isArchiveMIMEType(m_response.mimeType()) &&
       m_mainResource->getDataBufferingPolicy() != BufferData)
     m_mainResource->setDataBufferingPolicy(BufferData);
@@ skipping 302 matching lines @@
                              m_writer ? m_writer->encoding() : emptyAtom, true,
                              ForceSynchronousParsing);
   if (!source.isNull())
     m_writer->appendReplacingData(source);
   endWriting();
 }
 
 DEFINE_WEAK_IDENTIFIER_MAP(DocumentLoader);
 
 }  // namespace blink