Part 4.1: Is policy list subsumed under subsuming policy?

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-general.html

Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-general.html
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-general.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-general.html
new file mode 100644
index 0000000000000000000000000000000000000000..d05e23f79d10942920662b4b45705bf74f4d2d47
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embeddedEnforcement/subsumption_algorithm-general.html
@@ -0,0 +1,57 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src="/security/contentSecurityPolicy/resources/child-csp-test.js"></script>
+</head>
+<body>
+    <script>
+      async_test(t => {
+          url = generateUrlWithCSP(CROSS_ORIGIN, "");
+          injectIframeWithCSP(url, EXPECT_LOAD, "", t, "0");
+        }, "If there is no required csp, the page should load.");
+
+      async_test(t => {
+          required_csp = "frame-src http://c.com:*";
+          url = generateUrlWithCSP(CROSS_ORIGIN, "");
+          injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "1");
+        }, "Iframe with empty CSP should be blocked.");
+
+      async_test(t => {
+          required_csp = "frame-src http://c.com:443 http://b.com:80";
+          returned_csp = "frame-src http://b.com:80 http://c.com:443";
+          url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+          injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "2");
+        }, "Iframe with matching CSP should load.");
+
+      async_test(t => {
+          required_csp = "frame-src http://c.com:443 http://b.com:80 http://c.com:* http://a.com";
+          returned_csp = "frame-src http://b.com:80 http://c.com:443";
+          url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+          injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "3");
+        }, "Iframe with more restricting CSP should load.");
+
+      async_test(t => {
+          required_csp = "frame-src http://b.com:80";
+          returned_csp = "frame-src http://b.com:80 http://c.com:443";
+          url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+          injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "4");
+        }, "Iframe with less restricting CSP should be blocked.");
+
+      async_test(t => {
+          required_csp = "frame-src http://a.com:80";
+          returned_csp = "frame-src http://b.com:80 http://c.com:443";
+          url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+          injectIframeWithCSP(url, EXPECT_BLOCK, required_csp, t, "5");
+        }, "Iframe with a different CSP should be blocked.");
+
+      async_test(t => {
+          required_csp = "frame-src http://c.com:443 http://b.com";
+          returned_csp = "frame-src http://b.com:80 http://c.com:443";
+          url = generateUrlWithCSP(CROSS_ORIGIN, returned_csp);
+          injectIframeWithCSP(url, EXPECT_LOAD, required_csp, t, "6");
+        }, "Iframe with a matching and more restrictive ports should load.");
+    </script>
+</body>
+</html>