CORS-RFC1918: Introduce 'treat-as-public-address' CSP directive

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "core/frame/csp/ContentSecurityPolicy.h"
 
 #include "core/dom/Document.h"
 #include "core/loader/DocumentLoader.h"
 #include "platform/RuntimeEnabledFeatures.h"
 #include "platform/network/ContentSecurityPolicyParsers.h"
 #include "platform/network/ResourceRequest.h"
 #include "platform/weborigin/KURL.h"
 #include "platform/weborigin/SecurityOrigin.h"
+#include "public/platform/WebURLRequest.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace blink {
 
 class ContentSecurityPolicyTest : public ::testing::Test {
 public:
     ContentSecurityPolicyTest()
         : csp(ContentSecurityPolicy::create())
         , secureURL(ParsedURLString, "https://example.test/image.png")
         , secureOrigin(SecurityOrigin::create(secureURL))
@@ skipping 26 matching lines @@
 TEST_F(ContentSecurityPolicyTest, ParseMonitorInsecureRequestsEnabled)
 {
     csp->didReceiveHeader("upgrade-insecure-requests", ContentSecurityPolicyHeaderTypeReport, ContentSecurityPolicyHeaderSourceHTTP);
     EXPECT_EQ(SecurityContext::InsecureRequestsDoNotUpgrade, csp->getInsecureRequestsPolicy());
 
     csp->bindToExecutionContext(document.get());
     EXPECT_EQ(SecurityContext::InsecureRequestsDoNotUpgrade, document->getInsecureRequestsPolicy());
     EXPECT_FALSE(document->insecureNavigationsToUpgrade()->contains(secureOrigin->host().impl()->hash()));
 }
 
+TEST_F(ContentSecurityPolicyTest, ParseEnforceTreatAsPublicAddressDisabled)
+{
+    RuntimeEnabledFeatures::setCorsRFC1918Enabled(false);
+    document->setHostedInReservedIPRange(true);
+    EXPECT_EQ(WebURLRequest::AddressSpacePrivate, document->addressSpace());
+
+    csp->didReceiveHeader("treat-as-public-address", ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP);
+    csp->bindToExecutionContext(document.get());
+    EXPECT_EQ(WebURLRequest::AddressSpacePrivate, document->addressSpace());
+}
+
+TEST_F(ContentSecurityPolicyTest, ParseEnforceTreatAsPublicAddressEnabled)
+{
+    RuntimeEnabledFeatures::setCorsRFC1918Enabled(true);
+    document->setHostedInReservedIPRange(true);
+    EXPECT_EQ(WebURLRequest::AddressSpacePrivate, document->addressSpace());
+
+    csp->didReceiveHeader("treat-as-public-address", ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP);
+    csp->bindToExecutionContext(document.get());
+    EXPECT_EQ(WebURLRequest::AddressSpacePublic, document->addressSpace());
+}
+
 TEST_F(ContentSecurityPolicyTest, CopyStateFrom)
 {
     csp->didReceiveHeader("script-src 'none'; plugin-types application/x-type-1", ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP);
     csp->didReceiveHeader("img-src http://example.com", ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP);
 
     KURL exampleUrl(KURL(), "http://example.com");
     KURL notExampleUrl(KURL(), "http://not-example.com");
 
     RefPtrWillBeRawPtr<ContentSecurityPolicy> csp2 = ContentSecurityPolicy::create();
     csp2->copyStateFrom(csp.get());
@@ skipping 60 matching lines @@
 }
 
 TEST_F(ContentSecurityPolicyTest, EmptyReferrerDirective)
 {
     csp->didReceiveHeader("referrer;", ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP);
     csp->bindToExecutionContext(document.get());
     EXPECT_EQ(ReferrerPolicyNever, document->getReferrerPolicy());
 }
 
 } // namespace blink