Introduce content-side Feature Policy object and maintain in parallel with renderer policy.

content/common/feature_policy/feature_policy.cc

 // Copyright 2017 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/common/feature_policy/feature_policy.h"
 
+#include "base/macros.h"
+#include "base/memory/ptr_util.h"
+#include "base/stl_util.h"
+
 namespace content {
 
+namespace {
+
+// Given a string name, return the matching feature struct, or nullptr if it is
+// not the name of a policy-controlled feature.
+blink::WebFeaturePolicyFeature FeatureForName(
+    std::string feature_name,

[alexmos, 2017/02/09 05:59:50]

nit: const std::string& ?

[iclelland, 2017/02/09 17:16:18]

Done.

+    const FeaturePolicy::FeatureList& features) {
+  for (const auto& feature_mapping : features) {
+    if (feature_name == feature_mapping.second->feature_name)
+      return feature_mapping.first;
+  }
+  return blink::WebFeaturePolicyFeature::NotFound;
+}
+
+// Definitions of all features controlled by Feature Policy should appear here.
+const FeaturePolicy::Feature kDocumentCookie{
+    "cookie", FeaturePolicy::FeatureDefault::EnableForAll};
+const FeaturePolicy::Feature kDocumentDomain{
+    "domain", FeaturePolicy::FeatureDefault::EnableForAll};
+const FeaturePolicy::Feature kDocumentWrite{
+    "docwrite", FeaturePolicy::FeatureDefault::EnableForAll};
+const FeaturePolicy::Feature kFullscreenFeature{
+    "fullscreen", FeaturePolicy::FeatureDefault::EnableForSelf};
+const FeaturePolicy::Feature kGeolocationFeature{
+    "geolocation", FeaturePolicy::FeatureDefault::EnableForSelf};
+const FeaturePolicy::Feature kMidiFeature{
+    "midi", FeaturePolicy::FeatureDefault::EnableForAll};
+const FeaturePolicy::Feature kNotificationsFeature{
+    "notifications", FeaturePolicy::FeatureDefault::EnableForAll};
+const FeaturePolicy::Feature kPaymentFeature{
+    "payment", FeaturePolicy::FeatureDefault::EnableForSelf};
+const FeaturePolicy::Feature kPushFeature{
+    "push", FeaturePolicy::FeatureDefault::EnableForAll};
+const FeaturePolicy::Feature kSyncScript{
+    "sync-script", FeaturePolicy::FeatureDefault::EnableForAll};
+const FeaturePolicy::Feature kSyncXHR{
+    "sync-xhr", FeaturePolicy::FeatureDefault::EnableForAll};
+const FeaturePolicy::Feature kUsermedia{
+    "usermedia", FeaturePolicy::FeatureDefault::EnableForAll};
+const FeaturePolicy::Feature kVibrateFeature{
+    "vibrate", FeaturePolicy::FeatureDefault::EnableForSelf};
+const FeaturePolicy::Feature kWebRTC{
+    "webrtc", FeaturePolicy::FeatureDefault::EnableForAll};
+
+// Extracts a Whitelist from a ParsedFeaturePolicyDeclaration.
+std::unique_ptr<FeaturePolicy::Whitelist> WhitelistFromDeclaration(
+    const ParsedFeaturePolicyDeclaration& parsed_declaration) {
+  std::unique_ptr<FeaturePolicy::Whitelist> result =
+      base::WrapUnique(new FeaturePolicy::Whitelist());
+  if (parsed_declaration.matches_all_origins)
+    result->AddAll();
+  for (const auto& origin : parsed_declaration.origins)
+    result->Add(origin);
+  return result;
+}
+
+}  // namespace
+
 ParsedFeaturePolicyDeclaration::ParsedFeaturePolicyDeclaration()
     : matches_all_origins(false) {}
 
 ParsedFeaturePolicyDeclaration::ParsedFeaturePolicyDeclaration(
     std::string feature_name,
     bool matches_all_origins,
     std::vector<url::Origin> origins)
     : feature_name(feature_name),
       matches_all_origins(matches_all_origins),
       origins(origins) {}
 
 ParsedFeaturePolicyDeclaration::ParsedFeaturePolicyDeclaration(
     const ParsedFeaturePolicyDeclaration& rhs) = default;
 
 ParsedFeaturePolicyDeclaration::~ParsedFeaturePolicyDeclaration() {}
 
+FeaturePolicy::Whitelist::Whitelist() : matches_all_origins_(false) {}
+
+FeaturePolicy::Whitelist::~Whitelist() = default;
+
+void FeaturePolicy::Whitelist::Add(const url::Origin& origin) {
+  origins_.push_back(origin);
+}
+
+void FeaturePolicy::Whitelist::AddAll() {
+  matches_all_origins_ = true;
+}
+
+bool FeaturePolicy::Whitelist::Contains(const url::Origin& origin) const {
+  if (matches_all_origins_)
+    return true;
+  for (const auto& targetOrigin : origins_) {
+    if (targetOrigin.IsSameOriginWith(origin))
+      return true;
+  }
+  return false;
+}
+
+// static
+std::unique_ptr<FeaturePolicy> FeaturePolicy::CreateFromParentPolicy(
+    const FeaturePolicy* parent_policy,
+    const url::Origin& origin) {
+  return CreateFromParentPolicy(parent_policy, origin, getDefaultFeatureList());
+}
+
+bool FeaturePolicy::IsFeatureEnabledForOrigin(
+    blink::WebFeaturePolicyFeature feature,
+    const url::Origin& origin) const {
+  DCHECK(base::ContainsKey(feature_list_, feature));
+  const FeaturePolicy::Feature* feature_definition = feature_list_.at(feature);
+  DCHECK(base::ContainsKey(inherited_policies_, feature));
+  if (!inherited_policies_.at(feature)) {
+    return false;

[alexmos, 2017/02/09 05:59:51]

nit: {} not necessary for single-line if and body (also for the if below)

[iclelland, 2017/02/09 17:16:18]

Done.

+  }
+  auto whitelist = whitelists_.find(feature);
+  if (whitelist != whitelists_.end()) {
+    return whitelist->second->Contains(origin);
+  }
+  if (feature_definition->default_policy ==
+      FeaturePolicy::FeatureDefault::EnableForAll) {
+    return true;
+  }
+  if (feature_definition->default_policy ==
+      FeaturePolicy::FeatureDefault::EnableForSelf) {
+    return origin_.IsSameOriginWith(origin);
+  }
+  return false;
+}
+
+bool FeaturePolicy::IsFeatureEnabled(
+    blink::WebFeaturePolicyFeature feature) const {
+  return IsFeatureEnabledForOrigin(feature, origin_);

[alexmos, 2017/02/09 05:59:50]

This brings an interesting point.  For unique origins, if the same instance of a
unique origin is passed to SecurityOrigin::isSameSchemeHostPort, it will return
true
(https://cs.chromium.org/chromium/src/third_party/WebKit/Source/platform/webor...),
but url::Origin would return false
(https://cs.chromium.org/chromium/src/url/origin.cc?l=161).  So if origin_ is
unique, it wouldn't pass the check in line 135, whereas it would in Blink.  I
don't know if this matters for you in practice (e.g., in sandboxed iframes), but
mentioning it just in case.

[iclelland, 2017/02/09 17:16:18]

Yes, I discovered that yesterday, troubleshooting the next CL in the series
(https://codereview.chromium.org/2651883008/). I've a call with mkwst to talk
about the semantics of unique/opaque origins in this case this afternoon. I
think the solution is to change the API slightly for the most common case (where
the only origin we care about is the frame's one)  and explicitly check the
origin for identity with that, even if it's unique. That doesn't help *every*
case, but it at least allows the default policy to work in those frames.

There are certainly tricky issues around this, though -- there's no way to
convert a unique SecurityOrigin to a url::Origin in a way that preserves its
identity :(

I've created crbug.com/690520 to ensure that this doesn't get forgotten.

+}
+
+void FeaturePolicy::SetHeaderPolicy(
+    const ParsedFeaturePolicyHeader& parsed_header) {
+  DCHECK(whitelists_.empty());
+  for (const ParsedFeaturePolicyDeclaration& parsed_declaration :
+       parsed_header) {
+    blink::WebFeaturePolicyFeature feature =
+        FeatureForName(parsed_declaration.feature_name, feature_list_);
+    if (feature == blink::WebFeaturePolicyFeature::NotFound)
+      continue;
+    whitelists_[feature] = WhitelistFromDeclaration(parsed_declaration);
+  }
+}
+
+FeaturePolicy::FeaturePolicy(url::Origin origin,
+                             const FeatureList& feature_list)
+    : origin_(origin), feature_list_(feature_list) {}
+
+FeaturePolicy::FeaturePolicy(url::Origin origin)
+    : origin_(origin), feature_list_(getDefaultFeatureList()) {}
+
+FeaturePolicy::~FeaturePolicy() {}
+
+// static
+std::unique_ptr<FeaturePolicy> FeaturePolicy::CreateFromParentPolicy(
+    const FeaturePolicy* parent_policy,
+    const url::Origin& origin,
+    const FeaturePolicy::FeatureList& features) {
+  std::unique_ptr<FeaturePolicy> newPolicy =

[alexmos, 2017/02/09 05:59:51]

nit: new_policy

[iclelland, 2017/02/09 17:16:18]

Thanks; need a better converter from blink style :)

+      base::WrapUnique(new FeaturePolicy(origin, features));
+  for (const auto& feature : features) {
+    if (!parent_policy ||
+        parent_policy->IsFeatureEnabledForOrigin(feature.first, origin)) {
+      newPolicy->inherited_policies_[feature.first] = true;
+    } else {
+      newPolicy->inherited_policies_[feature.first] = false;
+    }
+  }
+  return newPolicy;
+}
+
+// static
+const FeaturePolicy::FeatureList& FeaturePolicy::getDefaultFeatureList() {
+  CR_DEFINE_STATIC_LOCAL(
+      FeatureList, defaultFeatureList,

[alexmos, 2017/02/09 05:59:50]

nit: defaultFeatureList -> default_feature_list

[iclelland, 2017/02/09 17:16:18]

Done.

+      ({{blink::WebFeaturePolicyFeature::DocumentCookie, &kDocumentCookie},
+        {blink::WebFeaturePolicyFeature::DocumentDomain, &kDocumentDomain},
+        {blink::WebFeaturePolicyFeature::DocumentWrite, &kDocumentWrite},
+        {blink::WebFeaturePolicyFeature::Fullscreen, &kFullscreenFeature},
+        {blink::WebFeaturePolicyFeature::Geolocation, &kGeolocationFeature},
+        {blink::WebFeaturePolicyFeature::MidiFeature, &kMidiFeature},
+        {blink::WebFeaturePolicyFeature::Notifications, &kNotificationsFeature},
+        {blink::WebFeaturePolicyFeature::Payment, &kPaymentFeature},
+        {blink::WebFeaturePolicyFeature::Push, &kPushFeature},
+        {blink::WebFeaturePolicyFeature::SyncScript, &kSyncScript},
+        {blink::WebFeaturePolicyFeature::SyncXHR, &kSyncXHR},
+        {blink::WebFeaturePolicyFeature::Usermedia, &kUsermedia},
+        {blink::WebFeaturePolicyFeature::Vibrate, &kVibrateFeature},
+        {blink::WebFeaturePolicyFeature::WebRTC, &kWebRTC}}));
+  return defaultFeatureList;
+}
+
 }  // namespace content