Index: Source/core/frame/csp/CSPSourceListTest.cpp |
diff --git a/Source/core/frame/csp/CSPSourceListTest.cpp b/Source/core/frame/csp/CSPSourceListTest.cpp |
index 9c1374f77445370f3601b1ccacaf2d92d2672978..be247b10f40980c1ec7063dcb275b12aaeb8aa9f 100644 |
--- a/Source/core/frame/csp/CSPSourceListTest.cpp |
+++ b/Source/core/frame/csp/CSPSourceListTest.cpp |
@@ -9,6 +9,7 @@ |
#include "core/frame/csp/CSPSource.h" |
#include "core/frame/csp/ContentSecurityPolicy.h" |
#include "platform/weborigin/KURL.h" |
+#include "platform/weborigin/SchemeRegistry.h" |
#include "platform/weborigin/SecurityOrigin.h" |
#include <gtest/gtest.h> |
@@ -65,6 +66,37 @@ TEST_F(CSPSourceListTest, BasicMatchingSelf) |
EXPECT_TRUE(sourceList.matches(KURL(base, "https://example.test/"))); |
} |
+TEST_F(CSPSourceListTest, BlobMatchingSelf) |
+{ |
+ KURL base; |
+ String sources = "'self'"; |
+ CSPSourceList sourceList(csp.get(), "script-src"); |
+ parseSourceList(sourceList, sources); |
+ |
+ EXPECT_TRUE(sourceList.matches(KURL(base, "https://example.test/"))); |
+ EXPECT_FALSE(sourceList.matches(KURL(base, "blob:https://example.test/"))); |
+ |
+ // Register "https" as bypassing CSP, which should trigger the innerURL behavior. |
+ SchemeRegistry::registerURLSchemeAsBypassingContentSecurityPolicy("https"); |
+ |
+ EXPECT_TRUE(sourceList.matches(KURL(base, "https://example.test/"))); |
+ EXPECT_TRUE(sourceList.matches(KURL(base, "blob:https://example.test/"))); |
+ |
+ // Unregister the scheme to clean up after ourselves. |
+ SchemeRegistry::removeURLSchemeRegisteredAsBypassingContentSecurityPolicy("https"); |
+} |
+ |
+TEST_F(CSPSourceListTest, BlobMatchingBlob) |
+{ |
+ KURL base; |
+ String sources = "blob:"; |
+ CSPSourceList sourceList(csp.get(), "script-src"); |
+ parseSourceList(sourceList, sources); |
+ |
+ EXPECT_FALSE(sourceList.matches(KURL(base, "https://example.test/"))); |
+ EXPECT_TRUE(sourceList.matches(KURL(base, "blob:https://example.test/"))); |
+} |
+ |
TEST_F(CSPSourceListTest, BasicMatching) |
{ |
KURL base; |