Part 3.5: Is policy list subsumed under subsuming policy?

Part 3.5: Is policy list subsumed under subsuming policy?

This is part of an experimental feature Embedding-CSP.

Here we add support for `none` source lists. Note that
normalized returned CSP might not explicitly declare `none`, but
with contradictory sources can allow effectively `none`.

For example if the secure origin is `http://google.com`:
Content-Security-Policy: script-src 'self'
Content-Security-Policy: script-src https://example.test/

then it should be subsumed by the Embedding-CSP that is :
Content-Security-Policy: script-src 'none'

BUG=647588
Committed: https://crrev.com/82f74b025438d88016d67f1d27b7ffca1d149dac
Cr-Commit-Position: refs/heads/master@{#436270}

[amalika, 2016-11-28 15:14:11]

Description was changed from

==========
Part 3.3: Is policy list subsumed under subsuming policy?

This is part of an experimental feature Embedding-CSP.

Here we add support for `none` source lists. Note that
normalized returned CSP might not explicitly declare `none`, but
with contradictory sources can allow effectively `none`.

For example if the secure origin is `http://google.com`:
Content-Security-Policy: script-src 'self'
Content-Security-Policy: script-src https://example.test/

then it should be subsumed by the Embedding-CSP that is :
Content-Security-Policy: script-src 'none'

BUG=647588
==========

to

==========
Part 3.5: Is policy list subsumed under subsuming policy?

This is part of an experimental feature Embedding-CSP.

Here we add support for `none` source lists. Note that
normalized returned CSP might not explicitly declare `none`, but
with contradictory sources can allow effectively `none`.

For example if the secure origin is `http://google.com`:
Content-Security-Policy: script-src 'self'
Content-Security-Policy: script-src https://example.test/

then it should be subsumed by the Embedding-CSP that is :
Content-Security-Policy: script-src 'none'

BUG=647588
==========

[amalika, 2016-11-30 09:39:19]

Patchset #2 (id:20001) has been deleted

[amalika, 2016-11-30 09:39:54]

amalika@google.com changed reviewers:
+ jochen@chromium.org, mkwst@chromium.org

[amalika, 2016-11-30 09:56:18]

Patchset #3 (id:60001) has been deleted

[Mike West, 2016-11-30 10:32:29]

LGTM % nit.

https://codereview.chromium.org/2528423002/diff/80001/third_party/WebKit/Sour...
File third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp (right):

https://codereview.chromium.org/2528423002/diff/80001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp:106: bool
SourceListDirective::allowNone() const {
Please add unit tests for `allowNone()`.

Also: "allow none" is strange. How about "isNone()"?

[amalika, 2016-11-30 11:56:57]

Patchset #4 (id:100001) has been deleted

[amalika, 2016-11-30 11:57:48]

Renaming + adding a test

[amalika, 2016-12-02 17:07:33]

The CQ bit was checked by amalika@google.com to run a CQ dry run

[commit-bot: I haz the power, 2016-12-02 17:07:55]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[amalika, 2016-12-02 17:08:06]

The CQ bit was unchecked by amalika@google.com

[amalika, 2016-12-02 17:08:14]

The CQ bit was checked by amalika@google.com

[amalika, 2016-12-02 17:08:14]

The patchset sent to the CQ was uploaded after l-g-t-m from mkwst@chromium.org
Link to the patchset: https://codereview.chromium.org/2528423002/#ps140001
(title: "Rebasing")

[commit-bot: I haz the power, 2016-12-02 17:08:33]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[amalika, 2016-12-02 18:39:35]

The CQ bit was unchecked by amalika@google.com

[amalika, 2016-12-05 09:43:56]

The CQ bit was checked by amalika@google.com to run a CQ dry run

[commit-bot: I haz the power, 2016-12-05 09:44:12]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-12-05 11:12:00]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-12-05 11:12:01]

Dry run: This issue passed the CQ dry run.

[amalika, 2016-12-05 12:47:26]

The CQ bit was checked by amalika@google.com

[amalika, 2016-12-05 12:47:26]

The patchset sent to the CQ was uploaded after l-g-t-m from mkwst@chromium.org
Link to the patchset: https://codereview.chromium.org/2528423002/#ps180001
(title: "Removing debugging")

[commit-bot: I haz the power, 2016-12-05 12:47:46]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-12-05 12:52:10]

CQ is committing da patch.

Bot data: {"patchset_id": 180001, "attempt_start_ts": 1480942046411830,
"parent_rev": "afec5be54329867a995ebd53d2abbdce9965fad4", "commit_rev":
"20d4078f015f20b4418b33cc6e39c38ecc89ba64"}

[commit-bot: I haz the power, 2016-12-05 12:52:40]

Committed patchset #7 (id:180001)

[commit-bot: I haz the power, 2016-12-05 12:54:31]

Description was changed from

==========
Part 3.5: Is policy list subsumed under subsuming policy?

This is part of an experimental feature Embedding-CSP.

Here we add support for `none` source lists. Note that
normalized returned CSP might not explicitly declare `none`, but
with contradictory sources can allow effectively `none`.

For example if the secure origin is `http://google.com`:
Content-Security-Policy: script-src 'self'
Content-Security-Policy: script-src https://example.test/

then it should be subsumed by the Embedding-CSP that is :
Content-Security-Policy: script-src 'none'

BUG=647588
==========

to

==========
Part 3.5: Is policy list subsumed under subsuming policy?

This is part of an experimental feature Embedding-CSP.

Here we add support for `none` source lists. Note that
normalized returned CSP might not explicitly declare `none`, but
with contradictory sources can allow effectively `none`.

For example if the secure origin is `http://google.com`:
Content-Security-Policy: script-src 'self'
Content-Security-Policy: script-src https://example.test/

then it should be subsumed by the Embedding-CSP that is :
Content-Security-Policy: script-src 'none'

BUG=647588

Committed: https://crrev.com/82f74b025438d88016d67f1d27b7ffca1d149dac
Cr-Commit-Position: refs/heads/master@{#436270}
==========

[commit-bot: I haz the power, 2016-12-05 12:54:32]

Patchset 7 (id:??) landed as
https://crrev.com/82f74b025438d88016d67f1d27b7ffca1d149dac
Cr-Commit-Position: refs/heads/master@{#436270}