Part 3.4: Is policy list subsumed under subsuming policy?

third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp

Index: third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
index 54c2b35236f2e4e6c2778c7454ee2d129a0293be..1e1676778a73bbb23fe337fc5d9df895bdcb536e 100644
--- a/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/SourceListDirectiveTest.cpp
@@ -746,4 +746,127 @@ TEST_F(SourceListDirectiveTest, SubsumesScriptStyleSrc) {
   }
 }
 
+TEST_F(SourceListDirectiveTest, SubsumesOtherAllowAttributes) {
+  struct TestCase {
+    bool isScriptSrc;
+    String sourcesA;
+    std::vector<String> sourcesB;
+    bool expected;
+  } cases[] = {
+      // A or policiesB contain `unsafe-eval`.
+      {false,
+       "http://example1.com/foo/ 'self' 'unsafe-inline' 'strict-dynamic' "
+       "'unsafe-eval'",
+       {"http://example1.com/foo/bar.html 'unsafe-eval'"},
+       true},
+      {true,
+       "http://example1.com/foo/ 'self' 'unsafe-eval'",
+       {"http://example1.com/foo/ 'unsafe-inline'"},
+       false},
+      {true,
+       "http://example1.com/foo/ 'self' 'unsafe-eval'",
+       {"http://example1.com/foo/ 'unsafe-inline' 'unsafe-eval'"},
+       false},
+      {true,
+       "http://example1.com/foo/ 'self' 'unsafe-eval'",
+       {"http://example1.com/foo/ 'unsafe-eval'",
+        "http://example1.com/foo/bar 'self' unsafe-eval'",
+        "http://non-example.com/foo/ 'unsafe-eval' 'self'"},
+       true},
+      {true,
+       "http://example1.com/foo/ 'self'",
+       {"http://example1.com/foo/ 'unsafe-eval'"},
+       false},
+      {true,
+       "http://example1.com/foo/ 'self' 'unsafe-inline'",
+       {"http://example1.com/foo/ 'unsafe-eval'",
+        "http://example1.com/foo/bar 'self' 'unsafe-eval'",
+        "http://non-example.com/foo/ 'unsafe-eval' 'self'"},
+       false},
+      // A or policiesB contain `unsafe-hashed-attributes`.
+      {false,
+       "http://example1.com/foo/ 'self' 'unsafe-inline' 'unsafe-eval' "
+       "'strict-dynamic' "
+       "'unsafe-hashed-attributes'",
+       {"http://example1.com/foo/bar.html 'unsafe-hashed-attributes'"},
+       true},
+      {true,
+       "http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'",
+       {"http://example1.com/foo/ 'unsafe-inline'"},
+       false},
+      {true,
+       "http://example1.com/foo/ 'self' 'unsafe-hashed-attributes'",
+       {"http://example1.com/foo/ 'unsafe-inline' 'unsafe-hashed-attributes'"},
+       false},
+      {true,
+       "http://example1.com/foo/ 'self' 'unsafe-eval' "
+       "'unsafe-hashed-attributes'",
+       {"http://example1.com/foo/ 'unsafe-eval' 'unsafe-hashed-attributes'",
+        "http://example1.com/foo/bar 'self' 'unsafe-hashed-attributes'",
+        "http://non-example.com/foo/ 'unsafe-hashed-attributes' 'self'"},
+       true},
+      {true,
+       "http://example1.com/foo/ 'self'",
+       {"http://example1.com/foo/ 'unsafe-hashed-attributes'"},
+       false},
+      {true,
+       "http://example1.com/foo/ 'self' 'unsafe-inline'",
+       {"http://example1.com/foo/ 'unsafe-hashed-attributes'",
+        "http://example1.com/foo/bar 'self' 'unsafe-hashed-attributes'",
+        "https://example1.com/foo/bar 'unsafe-hashed-attributes' 'self'"},
+       false},
+      // A or policiesB contain `strict-dynamic`. Note that `strict-dynamic`
+      // only is effective for `script-src` directives.
+      {false,
+       "http://example1.com/foo/ 'self' 'unsafe-eval'",
+       {"http://example1.com/foo/bar.html 'strict-dynamic'"},
+       true},
+      {false,
+       "http://example1.com/foo/ 'self' 'strict-dynamic'",
+       {"http://example1.com/foo/bar.html 'strict-dynamic'"},
+       true},
+      {true,
+       "http://example1.com/foo/ 'self' 'strict-dynamic'",
+       {"http://example1.com/foo/ 'unsafe-inline'"},
+       false},
+      {true,
+       "http://example1.com/foo/ 'self' 'strict-dynamic'",
+       {"http://example1.com/foo/ 'unsafe-inline' 'strict-dynamic'"},
+       true},
+      {true,
+       "http://example1.com/foo/ 'self' 'unsafe-eval' 'strict-dynamic'",
+       {"http://example1.com/foo/ 'unsafe-eval' 'unsafe-inline' "
+        "'strict-dynamic'",
+        "http://example1.com/foo/bar 'unsafe-inline' 'strict-dynamic'",
+        "http://non-example.com/foo/ 'strict-dynamic' 'unsafe-inline'"},
+       true},
+      {true,
+       "http://example1.com/foo/ 'self' 'unsafe-eval'",
+       {"http://example1.com/foo/ 'strict-dynamic'"},
+       false},
+      {true,
+       "http://example1.com/foo/ 'self' 'unsafe-inline'",
+       {"http://example1.com/foo/ 'strict-dynamic'",
+        "http://example1.com/foo/bar 'self' 'strict-dynamic'",
+        "https://example1.com/foo/bar 'strict-dynamic' 'self'"},
+       true},

[amalika, 2016/11/29 10:46:03]

Just wanted to check with you:
This is a desired behavior: if Embedding-CSP allows `unsafe-inline` but returned
csp specifies `strict-dynamic`, the subsumption should be true? i.e.
`unsafe-inline` allows not parser-inserted scripts.

[Mike West, 2016/11/29 12:05:48]

Hrm. I don't think that's correct, as `strict-dynamic` might allow more than the
rest of the requested CSP. That is, `'unsafe-inline' 'nonce-a'` doesn't seem to
subsume `'nonce-a' 'strict-dynamic'`, as the latter allows the nonced script to
load anything, while the former doesn't.

I think it's true that `'unsafe-inline'` would subsume `'unsafe-inline'
'strict-dynamic'`, but only because the latter doesn't allow anything. :)

[amalika, 2016/11/29 13:37:45]

From my understanding, then this example would be `true`? Then I think the logic
right now is correct.
The check now is `!m_allowDynamic && !allowAllInline() && allowDynamicOther`, so
the embedding csp does not subsume the returned csp when the former does *not*
allow all inline behavior (i.e. there are hashes/nonces) and does *not* specify
`strict-dynamic`, while the latter does:
- "'unsafe-inline'" subsumes "'strict-dynamic'"
- "'unsafe-inline' 'nonce-123'" does not subsume "'strict-dynamic'"
- "'unsafe-inline' 'nonce-123' 'strict-dynamic'" subsumes "'strict-dynamic'".

I added these tests right after this one.

+  };
+
+  for (const auto& test : cases) {
+    SourceListDirective A(test.isScriptSrc ? "script-src" : "style-src",
+                          test.sourcesA, csp.get());
+    ContentSecurityPolicy* cspB =
+        SetUpWithOrigin("https://another.test/image.png");
+
+    HeapVector<Member<SourceListDirective>> vectorB;
+    for (const auto& sources : test.sourcesB) {
+      SourceListDirective* member = new SourceListDirective(
+          test.isScriptSrc ? "script-src" : "style-src", sources, cspB);
+      vectorB.append(member);
+    }
+
+    EXPECT_EQ(A.subsumes(vectorB), test.expected);
+  }
+}
+
 }  // namespace blink