Introduce content-side Feature Policy object and maintain in parallel with renderer policy.

content/common/feature_policy/feature_policy.h

Index: content/common/feature_policy/feature_policy.h
diff --git a/content/common/feature_policy/feature_policy.h b/content/common/feature_policy/feature_policy.h
index b49e1a4489597d53939355aedb756057935296c0..60b689e158295c93f4fa91e39a8cef4537aad161 100644
--- a/content/common/feature_policy/feature_policy.h
+++ b/content/common/feature_policy/feature_policy.h
@@ -5,14 +5,77 @@
 #ifndef CONTENT_COMMON_FEATURE_POLICY_FEATURE_POLICY_H_
 #define CONTENT_COMMON_FEATURE_POLICY_FEATURE_POLICY_H_
 
+#include <map>
+#include <memory>
 #include <string>
 #include <vector>
 
+#include "base/macros.h"
 #include "content/common/content_export.h"
+#include "third_party/WebKit/public/platform/WebFeaturePolicy.h"
 #include "url/origin.h"
 
 namespace content {
 
+// Feature Policy is a mechanism for controlling the availability of web
+// platform features in a frame, including all embedded frames. It can be used
+// to remove features, automatically refuse API permission requests, or modify
+// the behaviour of features. (The specific changes which are made depend on the
+// feature; see the specification for details).
+//
+// Policies can be defined in the HTTP header stream, with the |Feature-Policy|
+// HTTP header, or can be set by the |allow| attributes on the iframe element
+// which embeds the document.
+//
+// See https://wicg.github.io/FeaturePolicy/
+//
+// Key concepts:
+//
+// Features
+// --------
+// Features which can be controlled by policy are defined by instances of the
+// FeaturePolicy::Feature struct. The features are referenced by the
+// |WebFeaturePolicyFeature| enum, declared in |WebFeaturePolicy.h|.
+//
+// Whitelists
+// ----------
+// Whitelists are collections of origins, although two special terms can be used
+// when declaring them:
+//   "self" refers to the orgin of the frame which is declaring the policy.
+//   "*" refers to all origins; any origin will match a whitelist which contains
+//     it.
+//
+// Declarations
+// ------------
+// A feature policy declaration is a mapping of a feature name to a whitelist.
+// A set of declarations is a declared policy.
+//
+// Inherited Policy
+// ----------------
+// In addition to the declared policy (which may be empty), every frame has
+// an inherited policy, which is determined by the context in which it is
+// embedded, or by the defaults for each feature in the case of the top-level
+// document.
+//
+// Defaults
+// --------
+// Each defined feature has a default policy, which determines whether the
+// feature is available when no policy has been declared, ans determines how the
+// feature is inherited across origin boundaries.
+//
+// If the default policy  is in effect for a frame, then it controls how the
+// feature is inherited by any cross-origin iframes embedded by the frame. (See
+// the comments below in FeaturePolicy::DefaultPolicy for specifics)
+//
+// Policy Inheritance
+// ------------------
+// Policies in effect for a frame are inherited by any child frames it embeds.
+// Unless another policy is declared in the child, all same-origin children will
+// receive the same set of enables features as the parent frame. Whether or not
+// features are inherited by cross-origin iframes without an explicit policy is
+// determined by the feature's default policy. (Again, see the comments in
+// FeaturePolicy::DefaultPolicy for details)
+
 // This struct holds feature policy whitelist data that needs to be replicated
 // between a RenderFrame and any of its associated RenderFrameProxies. A list of
 // these form a ParsedFeaturePolicyHeader.
@@ -33,6 +96,114 @@ struct CONTENT_EXPORT ParsedFeaturePolicyDeclaration {
 
 using ParsedFeaturePolicyHeader = std::vector<ParsedFeaturePolicyDeclaration>;
 
+class CONTENT_EXPORT FeaturePolicy {
+ public:
+  // Represents a collection of origins which make up a whitelist in a feature
+  // policy. This collection may be set to match every origin (corresponding to
+  // the "*" syntax in the policy string, in which case the Contains() method
+  // will always return true.
+  class Whitelist final {
+   public:
+    Whitelist();
+    ~Whitelist();
+
+    // Adds a single origin to the whitelist.
+    void Add(const url::Origin& origin);
+
+    // Adds all origins to the whitelist.
+    void AddAll();
+
+    // Returns true if the given origin has been added to the whitelist.
+    bool Contains(const url::Origin& origin) const;
+
+   private:
+    bool matches_all_origins_;
+    std::vector<url::Origin> origins_;
+  };
+
+  // The FeaturePolicy::FeatureDefault enum defines the default enable state for
+  // a feature when neither it nor any parent frame have declared an explicit
+  // policy. The three possibilities map directly to Feature Policy Whitelist
+  // semantics.
+  enum class FeatureDefault {
+    // Equivalent to []. If this default policy is in effect for a frame, then
+    // the feature will not be enabled for that frame or any of its children.
+    DisableForAll,
+
+    // Equivalent to ["self"]. If this default policy is in effect for a frame,
+    // then the feature will be enabled for that frame, and any same-origin
+    // child frames, but not for any cross-origin child frames.
+    EnableForSelf,
+
+    // Equivalent to ["*"]. If in effect for a frame, then the feature is
+    // enabled for that frame and all of its children.
+    EnableForAll
+  };
+
+  // The FeaturePolicy::Feature struct is used to define all features under
+  // control of Feature Policy. There should only be one instance of this struct
+  // for any given feature (declared below).
+  struct Feature {
+    // The name of the feature, as it should appear in a policy string
+    const char* const feature_name;
+
+    // Controls whether the feature should be available in the platform by
+    // default, in the absence of any declared policy.
+    FeatureDefault default_policy;
+  };
+
+  using FeatureList =
+      std::map<blink::WebFeaturePolicyFeature, const FeaturePolicy::Feature*>;
+
+  ~FeaturePolicy();
+
+  static std::unique_ptr<FeaturePolicy> CreateFromParentPolicy(
+      const FeaturePolicy* parent_policy,
+      const url::Origin& origin);
+
+  // Returns whether or not the given feature is enabled by this policy.
+  bool IsFeatureEnabledForOrigin(blink::WebFeaturePolicyFeature feature,
+                                 const url::Origin& origin) const;
+
+  // Returns whether or not the given feature is enabled for the origin of the
+  // document that owns the policy.
+  bool IsFeatureEnabled(blink::WebFeaturePolicyFeature feature) const;
+
+  // Sets the declared policy from the parsed Feature-Policy HTTP header.
+  // Unrecognized features will be ignored.
+  void SetHeaderPolicy(const ParsedFeaturePolicyHeader& parsed_header);
+
+ private:
+  friend class FeaturePolicyTest;
+
+  explicit FeaturePolicy(url::Origin origin);
+  FeaturePolicy(url::Origin origin, const FeatureList& feature_list);
+  static std::unique_ptr<FeaturePolicy> CreateFromParentPolicy(
+      const FeaturePolicy* parent_policy,
+      const url::Origin& origin,
+      const FeatureList& features);
+
+  // Returns the list of features which can be controlled by Feature Policy.
+  static const FeatureList& getDefaultFeatureList();

[alexmos, 2017/02/09 05:59:51]

nit: capitalize get

[iclelland, 2017/02/09 17:16:18]

Done.

+
+  url::Origin origin_;
+
+  // Map of feature names to declared whitelists. Any feature which is missing
+  // from this map should use the inherited policy.
+  std::map<blink::WebFeaturePolicyFeature, std::unique_ptr<Whitelist>>
+      whitelists_;
+
+  // Records whether or not each feature was enabled for this frame by its
+  // parent frame.
+  // TODO(iclelland): Generate, instead of this map, a set of bool flags, one
+  // for each feature, as all features are supposed to be represented here.
+  std::map<blink::WebFeaturePolicyFeature, bool> inherited_policies_;
+
+  const FeatureList& feature_list_;

[alexmos, 2017/02/09 05:59:51]

Just curious, why is this not shared across all feature policies?

[iclelland, 2017/02/09 17:16:18]

Outside of tests, it is shared across all of them. It's only explicitly held
here so that we can construct test policies without reference to any real
concrete features. For example, there are no "default-off" features currently
defined, but it's still useful to be able to construct a policy with such
features, to test the framework itself.

[alexmos, 2017/02/09 19:11:18]

Acknowledged.  I was just thinking about whether this could be static - not sure
if the tests need to instantiate multiple policies with differing feature lists,
but regardless, this matches the Blink side today, so any changes would be for
another CL.

+
+  DISALLOW_COPY_AND_ASSIGN(FeaturePolicy);
+};
+
 }  // namespace content
 
 #endif  // CONTENT_COMMON_FEATURE_POLICY_FEATURE_POLICY_H_