Part 4.1: Is policy list subsumed under subsuming policy?

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
index 34611c35cf3466b6a3e1401ca7c0c5637baf77bf..c49febb2d3609a6c93e7c9210b5f1205bc0353d2 100644
--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
@@ -1556,4 +1556,19 @@ void ContentSecurityPolicy::didSendViolationReport(const String& report) {
   m_violationReportsSent.add(report.impl()->hash());
 }
 
+bool ContentSecurityPolicy::subsumes(const ContentSecurityPolicy& other) {
+  if (!m_policies.size() || !other.m_policies.size())
+    return !m_policies.size();
+
+  CSPDirectiveListVector otherVector;
+  for (const auto& policy : other.m_policies) {
+    if (!policy->isReportOnly())
+      otherVector.append(policy);
+  }
+  // Embedding-CSP specifies only one policy.
+  DCHECK(m_policies.size(), 1u);

[amalika, 2016/11/28 11:56:22]

Since Embedding-CSP can't be more than just one policy, should this be removed?

[Mike West, 2016/11/28 13:08:02]

I'd suggest returning `false` if more than one policy is present.

[amalika, 2016/11/29 12:43:52]

Changed!

+
+  return m_policies[0]->subsumes(otherVector);

[Mike West, 2016/11/28 13:08:02]

What if `m_policies[0]` is report-only?

[amalika, 2016/11/29 12:43:52]

Current implementation of Embedding-CSP is such that there is only one string
which becomes one enforced policy. We set it to be of type `Enforce` in
DocumentLoader.
Would there be any other usages of subsumption that we should check `Report`
type here?

+}
+
 }  // namespace blink