Part 3.5: Is policy list subsumed under subsuming policy?
This is part of an experimental feature Embedding-CSP.
Here we add support for `none` source lists. Note that
normalized returned CSP might not explicitly declare `none`, but
with contradictory sources can allow effectively `none`.
For example if the secure origin is `http://google.com`:
Content-Security-Policy: script-src 'self'
Content-Security-Policy: script-src https://example.test/
then it should be subsumed by the Embedding-CSP that is :
Content-Security-Policy: script-src 'none'
BUG=647588
Review-Url: https://codereview.chromium.org/2528423002
Cr-Commit-Position: refs/heads/master@{#436270}
5 files changed