Feature policy: Add basic algorithm for supporting frame policies.

third_party/WebKit/Source/platform/feature_policy/FeaturePolicyTest.cpp

Index: third_party/WebKit/Source/platform/feature_policy/FeaturePolicyTest.cpp
diff --git a/third_party/WebKit/Source/platform/feature_policy/FeaturePolicyTest.cpp b/third_party/WebKit/Source/platform/feature_policy/FeaturePolicyTest.cpp
index b5ec7f27f8ddf8509d098935c6270b73e3e66e49..e61743f0e0c5ce85996306d67827e6d78dcdbe2c 100644
--- a/third_party/WebKit/Source/platform/feature_policy/FeaturePolicyTest.cpp
+++ b/third_party/WebKit/Source/platform/feature_policy/FeaturePolicyTest.cpp
@@ -68,7 +68,16 @@ class FeaturePolicyTest : public ::testing::Test {
   std::unique_ptr<FeaturePolicy> createFromParentPolicy(
       const FeaturePolicy* parent,
       RefPtr<SecurityOrigin> origin) {
-    return FeaturePolicy::createFromParentPolicy(parent, origin, m_featureList);
+    return FeaturePolicy::createFromParentPolicy(parent, nullptr, origin,
+                                                 m_featureList);
+  }
+
+  std::unique_ptr<FeaturePolicy> createFromParentWithFramePolicy(
+      const FeaturePolicy* parent,
+      const WebParsedFeaturePolicy* framePolicy,
+      RefPtr<SecurityOrigin> origin) {
+    return FeaturePolicy::createFromParentPolicy(parent, framePolicy, origin,
+                                                 m_featureList);
   }
 
   RefPtr<SecurityOrigin> m_originA = SecurityOrigin::createFromString(ORIGIN_A);
@@ -792,4 +801,394 @@ TEST_F(FeaturePolicyTest, TestFeatureEnabledForOrigin) {
       policy1->isFeatureEnabledForOrigin(kDefaultOffFeature, *m_originC));
 }
 
+// Test frame policies
+
+TEST_F(FeaturePolicyTest, TestSimpleFramePolicy) {
+  // +---------------------------------------------+
+  // |(1)Origin A                                  |
+  // |No Policy                                    |
+  // |                                             |
+  // |<iframe policy='{"default-self": ["self"]}'> |
+  // | +-------------+                             |
+  // | |(2)Origin B  |                             |
+  // | |No Policy    |                             |
+  // | +-------------+                             |
+  // +---------------------------------------------+
+  // Default-self feature should be enabled in cross-origin child frame because
+  // permission was delegated through frame policy.
+  // This is the same scenario as when the iframe is declared as
+  // <iframe allow="default-self">
+  Vector<String> messages;
+  std::unique_ptr<FeaturePolicy> policy1 =
+      createFromParentPolicy(nullptr, m_originA);
+  WebParsedFeaturePolicy framePolicy = FeaturePolicy::parseFeaturePolicy(
+      "{\"default-self\": [\"self\"]}", m_originB.get(), &messages);

[raymes, 2017/02/03 00:28:51]

Hmm - does "self" in the attribute refer to the embedder or the embedee? I feel
like it should refer to the embedder since it is written in the context of the
embedder. Specifically, I feel like m_originB here should be m_originA. What do
you think?

[iclelland, 2017/02/03 16:59:54]

I recall that the way we had originally gone with this was to say that
attributes like "allowfullscreen" in an iframe element would translate to
{"fullscreen": [*]}
which would match every origin, even if the frame contents were navigated, and
'allow="fullscreen"' would translate to
{"fullscreen": ["self"]}
which would be snapshotted to the origin of the src attribute.

Since we do snapshot the origin at parsing time, though, we could easily switch
that. I'll try it and see if it makes the spec simpler.

[raymes, 2017/02/03 18:11:28]

I guess I had been thinking allow="fullscreen" would translate to {"fullscreen":
["example.com"]} (where example.com was the src attribute). I think in this case
it's really just a question of whichever syntax is the most clear. My personal
opinion would be that "self" feels more like it's talking about the embedder in
that context, but I'm open to other opinions too :)

[iclelland, 2017/02/03 19:50:04]

We're going to translate the allow and allow* attributes directly into
declarations, and the origin needs to be explicit there (there's no concept of
"self" after you get out of strings). For those cases, it doesn't matter.
We're not shipping the attribute that lets you specify the full policy right
now, and that's the only case where a developer could actually specify "self".
I'll update the tests to use explicit origins, and we can move the discussion of
how we interpret the JSON text to somewhere more visible.

[iclelland, 2017/02/14 21:25:03]

Tests updated to use explicit origins for frame policy declarations.

+  EXPECT_EQ(0UL, messages.size());
+  std::unique_ptr<FeaturePolicy> policy2 =
+      createFromParentWithFramePolicy(policy1.get(), &framePolicy, m_originB);
+  EXPECT_TRUE(
+      policy1->isFeatureEnabledForOrigin(kDefaultSelfFeature, *m_originA));
+  EXPECT_FALSE(
+      policy1->isFeatureEnabledForOrigin(kDefaultSelfFeature, *m_originB));
+  EXPECT_FALSE(
+      policy1->isFeatureEnabledForOrigin(kDefaultSelfFeature, *m_originC));
+  EXPECT_FALSE(
+      policy2->isFeatureEnabledForOrigin(kDefaultSelfFeature, *m_originA));
+  EXPECT_TRUE(
+      policy2->isFeatureEnabledForOrigin(kDefaultSelfFeature, *m_originB));
+  EXPECT_FALSE(
+      policy2->isFeatureEnabledForOrigin(kDefaultSelfFeature, *m_originC));
+}
+
+TEST_F(FeaturePolicyTest, TestAllOriginFramePolicy) {
+  // +------------------------------------------+
+  // |(1)Origin A                               |
+  // |No Policy                                 |
+  // |                                          |
+  // |<iframe policy='{"default-self": ["*"]}'> |
+  // | +-------------+                          |
+  // | |(2)Origin B  |                          |
+  // | |No Policy    |                          |
+  // | +-------------+                          |
+  // +------------------------------------------+
+  // Default-self feature should be enabled in cross-origin child frame because
+  // permission was delegated through frame policy.
+  // This is the same scenario that arises when the iframe is declared as
+  // <iframe allowfullscreen>
+  Vector<String> messages;
+  std::unique_ptr<FeaturePolicy> policy1 =
+      createFromParentPolicy(nullptr, m_originA);
+  WebParsedFeaturePolicy framePolicy = FeaturePolicy::parseFeaturePolicy(
+      "{\"default-self\": [\"*\"]}", m_originB.get(), &messages);
+  EXPECT_EQ(0UL, messages.size());
+  std::unique_ptr<FeaturePolicy> policy2 =
+      createFromParentWithFramePolicy(policy1.get(), &framePolicy, m_originB);
+  EXPECT_TRUE(
+      policy1->isFeatureEnabledForOrigin(kDefaultSelfFeature, *m_originA));
+  EXPECT_FALSE(
+      policy1->isFeatureEnabledForOrigin(kDefaultSelfFeature, *m_originB));
+  EXPECT_FALSE(
+      policy1->isFeatureEnabledForOrigin(kDefaultSelfFeature, *m_originC));
+  EXPECT_FALSE(
+      policy2->isFeatureEnabledForOrigin(kDefaultSelfFeature, *m_originA));
+  EXPECT_TRUE(
+      policy2->isFeatureEnabledForOrigin(kDefaultSelfFeature, *m_originB));
+  EXPECT_FALSE(
+      policy2->isFeatureEnabledForOrigin(kDefaultSelfFeature, *m_originC));
+}
+
+TEST_F(FeaturePolicyTest, TestFramePolicyCanBeFurtherDelegated) {
+  // +-------------------------------------------------+
+  // |(1)Origin A                                      |
+  // |No Policy                                        |
+  // |                                                 |
+  // |<iframe policy='{"default-self": ["self"]}'>     |
+  // | +---------------------------------------------+ |
+  // | |(2)Origin B                                  | |
+  // | |No Policy                                    | |
+  // | |                                             | |
+  // | |<iframe policy='{"default-self": ["self"]}'> | |
+  // | | +-------------+                             | |
+  // | | |(3)Origin C  |                             | |
+  // | | |No Policy    |                             | |
+  // | | +-------------+                             | |
+  // | |                                             | |
+  // | |<iframe> (No frame policy)                   | |
+  // | | +-------------+                             | |
+  // | | |(4)Origin C  |                             | |
+  // | | |No Policy    |                             | |
+  // | | +-------------+                             | |
+  // | +---------------------------------------------+ |
+  // +-------------------------------------------------+
+  // Default-self feature should be enabled in cross-origin child frames 2 and
+  // 3. Feature should be disabled in frame 4 because it was not further
+  // delegated through frame policy.
+  Vector<String> messages;
+  std::unique_ptr<FeaturePolicy> policy1 =
+      createFromParentPolicy(nullptr, m_originA);
+  WebParsedFeaturePolicy framePolicy1 = FeaturePolicy::parseFeaturePolicy(
+      "{\"default-self\": [\"self\"]}", m_originB.get(), &messages);
+  EXPECT_EQ(0UL, messages.size());
+  std::unique_ptr<FeaturePolicy> policy2 =
+      createFromParentWithFramePolicy(policy1.get(), &framePolicy1, m_originB);
+  WebParsedFeaturePolicy framePolicy2 = FeaturePolicy::parseFeaturePolicy(
+      "{\"default-self\": [\"self\"]}", m_originC.get(), &messages);
+  EXPECT_EQ(0UL, messages.size());
+  std::unique_ptr<FeaturePolicy> policy3 =
+      createFromParentWithFramePolicy(policy2.get(), &framePolicy2, m_originC);
+  std::unique_ptr<FeaturePolicy> policy4 =
+      createFromParentWithFramePolicy(policy2.get(), nullptr, m_originC);
+  EXPECT_FALSE(
+      policy3->isFeatureEnabledForOrigin(kDefaultSelfFeature, *m_originA));
+  EXPECT_FALSE(
+      policy3->isFeatureEnabledForOrigin(kDefaultSelfFeature, *m_originB));
+  EXPECT_TRUE(
+      policy3->isFeatureEnabledForOrigin(kDefaultSelfFeature, *m_originC));
+  EXPECT_FALSE(
+      policy4->isFeatureEnabledForOrigin(kDefaultSelfFeature, *m_originA));
+  EXPECT_FALSE(
+      policy4->isFeatureEnabledForOrigin(kDefaultSelfFeature, *m_originB));
+  EXPECT_FALSE(
+      policy4->isFeatureEnabledForOrigin(kDefaultSelfFeature, *m_originC));
+}
+
+TEST_F(FeaturePolicyTest, TestDefaultOnCanBeDisabledByFramePolicy) {
+  // +-------------------------------------+
+  // |(1)Origin A                          |
+  // |No Policy                            |
+  // |                                     |
+  // |<iframe policy='{"default-on": []}'> |
+  // | +-------------+                     |
+  // | |(2)Origin A  |                     |
+  // | |No Policy    |                     |
+  // | +-------------+                     |
+  // |                                     |
+  // |<iframe policy='{"default-on": []}'> |
+  // | +-------------+                     |
+  // | |(3)Origin B  |                     |
+  // | |No Policy    |                     |
+  // | +-------------+                     |
+  // +-------------------------------------+
+  // Default-on feature should be disabled in both same-origin and cross-origin
+  // child frames because permission was removed through frame policy.
+  Vector<String> messages;
+  std::unique_ptr<FeaturePolicy> policy1 =
+      createFromParentPolicy(nullptr, m_originA);
+  WebParsedFeaturePolicy framePolicy1 = FeaturePolicy::parseFeaturePolicy(
+      "{\"default-on\": []}", m_originA.get(), &messages);
+  EXPECT_EQ(0UL, messages.size());
+  std::unique_ptr<FeaturePolicy> policy2 =
+      createFromParentWithFramePolicy(policy1.get(), &framePolicy1, m_originA);
+  WebParsedFeaturePolicy framePolicy2 = FeaturePolicy::parseFeaturePolicy(
+      "{\"default-on\": []}", m_originB.get(), &messages);
+  EXPECT_EQ(0UL, messages.size());
+  std::unique_ptr<FeaturePolicy> policy3 =
+      createFromParentWithFramePolicy(policy1.get(), &framePolicy2, m_originB);
+  EXPECT_TRUE(
+      policy1->isFeatureEnabledForOrigin(kDefaultOnFeature, *m_originA));
+  EXPECT_TRUE(
+      policy1->isFeatureEnabledForOrigin(kDefaultOnFeature, *m_originB));
+  EXPECT_TRUE(
+      policy1->isFeatureEnabledForOrigin(kDefaultOnFeature, *m_originC));
+  EXPECT_FALSE(
+      policy2->isFeatureEnabledForOrigin(kDefaultOnFeature, *m_originA));
+  EXPECT_FALSE(
+      policy2->isFeatureEnabledForOrigin(kDefaultOnFeature, *m_originB));
+  EXPECT_FALSE(
+      policy2->isFeatureEnabledForOrigin(kDefaultOnFeature, *m_originC));
+  EXPECT_FALSE(
+      policy3->isFeatureEnabledForOrigin(kDefaultOnFeature, *m_originA));
+  EXPECT_FALSE(
+      policy3->isFeatureEnabledForOrigin(kDefaultOnFeature, *m_originB));
+  EXPECT_FALSE(
+      policy3->isFeatureEnabledForOrigin(kDefaultOnFeature, *m_originC));
+}
+
+TEST_F(FeaturePolicyTest, TestDefaultOffMustBeEnabledByChildFrame) {
+  // +--------------------------------------------+
+  // |(1)Origin A                                 |
+  // |No Policy                                   |
+  // |                                            |
+  // |<iframe policy='{"default-off": ["self"]}'> |
+  // | +-------------+                            |
+  // | |(2)Origin A  |                            |
+  // | |No Policy    |                            |
+  // | +-------------+                            |
+  // |                                            |
+  // |<iframe policy='{"default-off": ["self"]}'> |
+  // | +-------------+                            |
+  // | |(3)Origin B  |                            |
+  // | |No Policy    |                            |
+  // | +-------------+                            |
+  // +--------------------------------------------+
+  // Default-off feature should be disabled in both same-origin and cross-origin
+  // child frames because they did not declare their own policy to enable it.
+  Vector<String> messages;
+  std::unique_ptr<FeaturePolicy> policy1 =
+      createFromParentPolicy(nullptr, m_originA);

[raymes, 2017/02/03 00:28:51]

We might want to enable the feature in (1) by header policy, otherwise the
feature shouldn't get delegated anyway. Is that right? I think this is the
result of my comment in the previous file.

[iclelland, 2017/02/14 21:25:03]

Done. Required by algorithm now.

+  WebParsedFeaturePolicy framePolicy1 = FeaturePolicy::parseFeaturePolicy(
+      "{\"default-off\": [\"self\"]}", m_originA.get(), &messages);
+  EXPECT_EQ(0UL, messages.size());
+  std::unique_ptr<FeaturePolicy> policy2 =
+      createFromParentWithFramePolicy(policy1.get(), &framePolicy1, m_originA);
+  WebParsedFeaturePolicy framePolicy2 = FeaturePolicy::parseFeaturePolicy(
+      "{\"default-off\": [\"self\"]}", m_originB.get(), &messages);
+  EXPECT_EQ(0UL, messages.size());
+  std::unique_ptr<FeaturePolicy> policy3 =
+      createFromParentWithFramePolicy(policy1.get(), &framePolicy2, m_originB);
+  EXPECT_FALSE(
+      policy1->isFeatureEnabledForOrigin(kDefaultOffFeature, *m_originA));
+  EXPECT_FALSE(
+      policy1->isFeatureEnabledForOrigin(kDefaultOffFeature, *m_originB));
+  EXPECT_FALSE(
+      policy1->isFeatureEnabledForOrigin(kDefaultOffFeature, *m_originC));
+  EXPECT_FALSE(
+      policy2->isFeatureEnabledForOrigin(kDefaultOffFeature, *m_originA));
+  EXPECT_FALSE(
+      policy2->isFeatureEnabledForOrigin(kDefaultOffFeature, *m_originB));
+  EXPECT_FALSE(
+      policy2->isFeatureEnabledForOrigin(kDefaultOffFeature, *m_originC));
+  EXPECT_FALSE(
+      policy3->isFeatureEnabledForOrigin(kDefaultOffFeature, *m_originA));
+  EXPECT_FALSE(
+      policy3->isFeatureEnabledForOrigin(kDefaultOffFeature, *m_originB));
+  EXPECT_FALSE(
+      policy3->isFeatureEnabledForOrigin(kDefaultOffFeature, *m_originC));
+}
+
+TEST_F(FeaturePolicyTest, TestDefaultOffCanBeEnabledByChildFrame) {
+  // +--------------------------------------------+
+  // |(1)Origin A                                 |
+  // |No Policy                                   |
+  // |                                            |
+  // |<iframe policy='{"default-off": ["self"]}'> |
+  // | +----------------------------------------+ |
+  // | |(2)Origin A                             | |
+  // | |Policy: {"default-off": ["self"]}       | |
+  // | +----------------------------------------+ |
+  // |                                            |
+  // |<iframe policy='{"default-off": ["self"]}'> |
+  // | +----------------------------------------+ |
+  // | |(3)Origin B                             | |
+  // | |Policy: {"default-off": ["self"]}       | |
+  // | +----------------------------------------+ |
+  // +--------------------------------------------+
+  // Default-off feature should be enabled in both same-origin and cross-origin
+  // child frames because it is delegated through the parent's frame policy, and
+  // they declare their own policy to enable it.
+  Vector<String> messages;
+  std::unique_ptr<FeaturePolicy> policy1 =
+      createFromParentPolicy(nullptr, m_originA);
+  WebParsedFeaturePolicy framePolicy1 = FeaturePolicy::parseFeaturePolicy(
+      "{\"default-off\": [\"self\"]}", m_originA.get(), &messages);
+  EXPECT_EQ(0UL, messages.size());
+  std::unique_ptr<FeaturePolicy> policy2 =
+      createFromParentWithFramePolicy(policy1.get(), &framePolicy1, m_originA);
+  policy2->setHeaderPolicy(FeaturePolicy::parseFeaturePolicy(

[raymes, 2017/02/03 00:28:51]

Shouldn't frame (1) have to do this in order to delegate the feature through the
iframe attribute? 

[iclelland, 2017/02/03 16:59:54]

See the comment in the previous file -- Maybe we do want frame 1 to have to do
that, but it does mean that default-off features are never going to be usable at
all without being able to set HTTP headers.

[iclelland, 2017/02/14 21:25:03]

Changed now; header (or eventually meta) must be applied in all frames. Test
updated.

+      "{\"default-off\": [\"self\"]}", m_originA.get(), &messages));
+  WebParsedFeaturePolicy framePolicy2 = FeaturePolicy::parseFeaturePolicy(
+      "{\"default-off\": [\"self\"]}", m_originB.get(), &messages);
+  EXPECT_EQ(0UL, messages.size());
+  std::unique_ptr<FeaturePolicy> policy3 =
+      createFromParentWithFramePolicy(policy1.get(), &framePolicy2, m_originB);
+  policy3->setHeaderPolicy(FeaturePolicy::parseFeaturePolicy(
+      "{\"default-off\": [\"self\"]}", m_originB.get(), &messages));
+  EXPECT_FALSE(
+      policy1->isFeatureEnabledForOrigin(kDefaultOffFeature, *m_originA));
+  EXPECT_FALSE(
+      policy1->isFeatureEnabledForOrigin(kDefaultOffFeature, *m_originB));
+  EXPECT_FALSE(
+      policy1->isFeatureEnabledForOrigin(kDefaultOffFeature, *m_originC));
+  EXPECT_TRUE(
+      policy2->isFeatureEnabledForOrigin(kDefaultOffFeature, *m_originA));
+  EXPECT_FALSE(
+      policy2->isFeatureEnabledForOrigin(kDefaultOffFeature, *m_originB));
+  EXPECT_FALSE(
+      policy2->isFeatureEnabledForOrigin(kDefaultOffFeature, *m_originC));
+  EXPECT_FALSE(
+      policy3->isFeatureEnabledForOrigin(kDefaultOffFeature, *m_originA));
+  EXPECT_TRUE(
+      policy3->isFeatureEnabledForOrigin(kDefaultOffFeature, *m_originB));
+  EXPECT_FALSE(
+      policy3->isFeatureEnabledForOrigin(kDefaultOffFeature, *m_originC));
+}
+
+TEST_F(FeaturePolicyTest, TestFramePolicyModifiesHeaderPolicy) {
+  // +-----------------------------------------------+
+  // |(1)Origin A                                    |
+  // |Policy: {"default-self": ["self", "Origin B"]} |
+  // |                                               |
+  // |<iframe policy='{"default-self": []}'>         |
+  // | +-------------------------------------------+ |
+  // | |(2)Origin B                                | |
+  // | |No Policy                                  | |
+  // | +-------------------------------------------+ |
+  // |                                               |
+  // |<iframe policy='{"default-self": []}'>         |
+  // | +-------------------------------------------+ |
+  // | |(3)Origin B                                | |
+  // | |Policy: {"default-self": ["self"]}         | |
+  // | +-------------------------------------------+ |
+  // +-----------------------------------------------+
+  // Default-self feature should be disabled in both cross-origin child frames
+  // by frame policy, even though the parent frame's header policy would
+  // otherwise enable it. This is true regardless of the child frame's header
+  // policy.
+  Vector<String> messages;
+  std::unique_ptr<FeaturePolicy> policy1 =
+      createFromParentPolicy(nullptr, m_originA);
+  policy1->setHeaderPolicy(FeaturePolicy::parseFeaturePolicy(
+      "{\"default-self\": [\"self\", \"" ORIGIN_B "\"]}", m_originA.get(),
+      &messages));
+  EXPECT_EQ(0UL, messages.size());
+  WebParsedFeaturePolicy framePolicy1 = FeaturePolicy::parseFeaturePolicy(
+      "{\"default-self\": []}", m_originB.get(), &messages);
+  EXPECT_EQ(0UL, messages.size());
+  std::unique_ptr<FeaturePolicy> policy2 =
+      createFromParentWithFramePolicy(policy1.get(), &framePolicy1, m_originB);
+  WebParsedFeaturePolicy framePolicy2 = FeaturePolicy::parseFeaturePolicy(
+      "{\"default-self\": []}", m_originB.get(), &messages);
+  EXPECT_EQ(0UL, messages.size());
+  std::unique_ptr<FeaturePolicy> policy3 =
+      createFromParentWithFramePolicy(policy1.get(), &framePolicy2, m_originB);
+  policy3->setHeaderPolicy(FeaturePolicy::parseFeaturePolicy(
+      "{\"default-self\": [\"self\"]}", m_originB.get(), &messages));
+  EXPECT_FALSE(
+      policy2->isFeatureEnabledForOrigin(kDefaultSelfFeature, *m_originB));
+  EXPECT_FALSE(
+      policy3->isFeatureEnabledForOrigin(kDefaultSelfFeature, *m_originB));
+}
+
+TEST_F(FeaturePolicyTest, TestCombineFrameAndHeaderPolicies) {
+  // +---------------------------------------------+
+  // |(1)Origin A                                  |
+  // |No Policy                                    |
+  // |                                             |
+  // |<iframe policy='{"default-self": ["self"]}'> |
+  // | +-----------------------------------------+ |
+  // | |(2)Origin B                              | |
+  // | |Policy: {"default-self": ["*"]}          | |
+  // | |                                         | |
+  // | |<iframe policy='{"default-self": []}'>   | |
+  // | | +-------------+                         | |
+  // | | |(3)Origin C  |                         | |
+  // | | |No Policy    |                         | |
+  // | | +-------------+                         | |
+  // | |                                         | |
+  // | |<iframe> (No frame policy)               | |
+  // | | +-------------+                         | |
+  // | | |(4)Origin C  |                         | |
+  // | | |No Policy    |                         | |
+  // | | +-------------+                         | |
+  // | +-----------------------------------------+ |
+  // +---------------------------------------------+
+  // Default-self feature should be enabled in cross-origin child frames 2 and
+  // 4. Feature should be disabled in frame 2 by frame policy.
+  Vector<String> messages;
+  std::unique_ptr<FeaturePolicy> policy1 =
+      createFromParentPolicy(nullptr, m_originA);
+  WebParsedFeaturePolicy framePolicy1 = FeaturePolicy::parseFeaturePolicy(
+      "{\"default-self\": [\"self\"]}", m_originB.get(), &messages);
+  EXPECT_EQ(0UL, messages.size());
+  std::unique_ptr<FeaturePolicy> policy2 =
+      createFromParentWithFramePolicy(policy1.get(), &framePolicy1, m_originB);
+  policy2->setHeaderPolicy(FeaturePolicy::parseFeaturePolicy(
+      "{\"default-self\": [\"*\"]}", m_originB.get(), &messages));
+  WebParsedFeaturePolicy framePolicy2 = FeaturePolicy::parseFeaturePolicy(
+      "{\"default-self\": [\"\"]}", m_originC.get(), &messages);
+  EXPECT_EQ(0UL, messages.size());
+  std::unique_ptr<FeaturePolicy> policy3 =
+      createFromParentWithFramePolicy(policy2.get(), &framePolicy2, m_originC);
+  std::unique_ptr<FeaturePolicy> policy4 =
+      createFromParentWithFramePolicy(policy2.get(), nullptr, m_originC);
+  EXPECT_TRUE(
+      policy1->isFeatureEnabledForOrigin(kDefaultSelfFeature, *m_originA));
+  EXPECT_TRUE(
+      policy2->isFeatureEnabledForOrigin(kDefaultSelfFeature, *m_originB));
+  EXPECT_FALSE(
+      policy3->isFeatureEnabledForOrigin(kDefaultSelfFeature, *m_originC));
+  EXPECT_TRUE(
+      policy4->isFeatureEnabledForOrigin(kDefaultSelfFeature, *m_originC));
+}
+
 }  // namespace blink