WIP: Move 'Upgrade-Insecure-Requests' to the browser process.

net/url_request/url_request_unittest.cc

Index: net/url_request/url_request_unittest.cc
diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc
index 2e51d6ac73a1871270e03c2926f2332ba8b5454d..45310794285fbada2477c9c9d6e2a2df16dfd2ab 100644
--- a/net/url_request/url_request_unittest.cc
+++ b/net/url_request/url_request_unittest.cc
@@ -8449,6 +8449,163 @@ TEST_F(URLRequestInterceptorTestHTTP,
   EXPECT_EQ(2, default_network_delegate()->headers_received_count());
 }
 
+class URLRequestTestInsecureRequestPolicy : public URLRequestTest {
+ public:
+  URLRequestTestInsecureRequestPolicy() : context_(true) {
+    context_.set_host_resolver(&host_resolver_);
+    context_.set_network_delegate(&network_delegate_);
+    context_.set_net_log(&net_log_);
+    context_.Init();
+
+    http_server_.reset(
+        new EmbeddedTestServer(net::EmbeddedTestServer::TYPE_HTTP));
+    http_server_->AddDefaultHandlers(base::FilePath(kTestFilePath));
+    EXPECT_TRUE(http_server_->Start());
+    https_server_.reset(
+        new EmbeddedTestServer(net::EmbeddedTestServer::TYPE_HTTPS));
+    https_server_->AddDefaultHandlers(
+        base::FilePath(FILE_PATH_LITERAL("net/data/ssl")));
+    EXPECT_TRUE(https_server_->Start());
+  }
+
+  void VerifyUpgradeAfterRedirect(const GURL& target,
+                                  const GURL& initiator,
+                                  URLRequest::InsecureRequestPolicy policy,
+                                  const GURL& upgraded_url) {
+    GURL redirect_url =
+        https_server_->GetURL("/server-redirect?" + target.spec());
+
+    TestDelegate d;
+    std::unique_ptr<URLRequest> r(
+        context_.CreateRequest(redirect_url, DEFAULT_PRIORITY, &d));
+    r->set_insecure_request_policy(policy);
+    r->set_initiator(url::Origin(initiator));
+    net_log_.Clear();
+
+    r->Start();
+    base::RunLoop().Run();
+
+    int rewrites = 0;
+    net::TestNetLogEntry::List entries;
+    net_log_.GetEntries(&entries);
+    for (const auto& entry : entries) {
+      if (entry.type == net::NetLogEventType::URL_REQUEST_REWRITTEN) {
+        rewrites++;
+        std::string value;
+        EXPECT_TRUE(entry.GetStringValue("reason", &value));
+        EXPECT_EQ("Upgrade-Insecure-Requests", value);
+      }
+    }
+
+    EXPECT_EQ(1, d.received_redirect_count());
+    EXPECT_EQ(2u, r->url_chain().size());
+    if (upgraded_url.is_empty()) {
+      EXPECT_EQ(target, r->url());
+      EXPECT_EQ(0, rewrites);
+    } else {
+      EXPECT_EQ(upgraded_url, r->url());
+      EXPECT_EQ(1, rewrites);
+    }
+  }
+
+ protected:
+  std::unique_ptr<EmbeddedTestServer> http_server_;
+  std::unique_ptr<EmbeddedTestServer> https_server_;
+  MockHostResolver host_resolver_;
+  TestNetworkDelegate network_delegate_;
+  TestURLRequestContext context_;
+  TestNetLog net_log_;
+};
+
+TEST_F(URLRequestTestInsecureRequestPolicy, UpgradeAfterRedirect) {
+  const GURL kHttpOrigin1 = http_server_->GetURL("origin1.test", "/");
+  const GURL kHttpOrigin2 = http_server_->GetURL("origin2.test", "/");
+  const GURL kHttpsOrigin1 = https_server_->GetURL("origin1.test", "/");
+  const GURL kHttpsOrigin2 = https_server_->GetURL("origin2.test", "/");
+
+  // The servers don't run on the default port, and Upgrade-Insecure-Requests
+  // leaves non-standard ports alone. So. To hack around this behavior, build an
+  // HTTP URL with the HTTPS server's port. If the upgrade fails, the request
+  // will timeout.
+  GURL::Replacements replacements;
+  replacements.SetSchemeStr(url::kHttpScheme);
+  const GURL kHttpOrigin1WithHttpsPort =
+      kHttpsOrigin1.ReplaceComponents(replacements);
+
+  struct TestCase {
+    const GURL& target;
+    const GURL& initiator;
+    URLRequest::InsecureRequestPolicy policy;
+    const GURL& upgraded_url;
+  } cases[] = {
+      // HTTP Requests
+      // Secure origins are not upgraded, regardless of policy or initiator:
+      {kHttpsOrigin1, kHttpOrigin1,
+       URLRequest::DO_NOT_UPGRADE_INSECURE_REQUESTS, GURL::EmptyGURL()},
+      {kHttpsOrigin1, kHttpOrigin1,
+       URLRequest::UPGRADE_SAME_HOST_INSECURE_REQUESTS, GURL::EmptyGURL()},
+      {kHttpsOrigin1, kHttpOrigin1, URLRequest::UPGRADE_ALL_INSECURE_REQUESTS,
+       GURL::EmptyGURL()},
+      {kHttpsOrigin1, kHttpOrigin2,
+       URLRequest::DO_NOT_UPGRADE_INSECURE_REQUESTS, GURL::EmptyGURL()},
+      {kHttpsOrigin1, kHttpOrigin2,
+       URLRequest::UPGRADE_SAME_HOST_INSECURE_REQUESTS, GURL::EmptyGURL()},
+      {kHttpsOrigin1, kHttpOrigin2, URLRequest::UPGRADE_ALL_INSECURE_REQUESTS,
+       GURL::EmptyGURL()},
+      {kHttpsOrigin1, kHttpsOrigin1,
+       URLRequest::DO_NOT_UPGRADE_INSECURE_REQUESTS, GURL::EmptyGURL()},
+      {kHttpsOrigin1, kHttpsOrigin1,
+       URLRequest::UPGRADE_SAME_HOST_INSECURE_REQUESTS, GURL::EmptyGURL()},
+      {kHttpsOrigin1, kHttpsOrigin1, URLRequest::UPGRADE_ALL_INSECURE_REQUESTS,
+       GURL::EmptyGURL()},
+      {kHttpsOrigin1, kHttpsOrigin2,
+       URLRequest::DO_NOT_UPGRADE_INSECURE_REQUESTS, GURL::EmptyGURL()},
+      {kHttpsOrigin1, kHttpsOrigin2,
+       URLRequest::UPGRADE_SAME_HOST_INSECURE_REQUESTS, GURL::EmptyGURL()},
+      {kHttpsOrigin1, kHttpsOrigin2, URLRequest::UPGRADE_ALL_INSECURE_REQUESTS,
+       GURL::EmptyGURL()},
+
+      // DO_NOT_UPGRADE_INSECURE_REQUESTS doesn't.
+      {kHttpOrigin1, kHttpOrigin1, URLRequest::DO_NOT_UPGRADE_INSECURE_REQUESTS,
+       GURL::EmptyGURL()},
+      {kHttpOrigin1, kHttpOrigin2, URLRequest::DO_NOT_UPGRADE_INSECURE_REQUESTS,
+       GURL::EmptyGURL()},
+      {kHttpOrigin1, kHttpsOrigin1,
+       URLRequest::DO_NOT_UPGRADE_INSECURE_REQUESTS, GURL::EmptyGURL()},
+      {kHttpOrigin1, kHttpsOrigin2,
+       URLRequest::DO_NOT_UPGRADE_INSECURE_REQUESTS, GURL::EmptyGURL()},
+
+      // UPGRADE_ALL_INSECURE_REQUESTS does.
+      {kHttpOrigin1WithHttpsPort, kHttpOrigin1,
+       URLRequest::UPGRADE_ALL_INSECURE_REQUESTS, kHttpsOrigin1},
+      {kHttpOrigin1WithHttpsPort, kHttpOrigin2,
+       URLRequest::UPGRADE_ALL_INSECURE_REQUESTS, kHttpsOrigin1},
+      {kHttpOrigin1WithHttpsPort, kHttpsOrigin1,
+       URLRequest::UPGRADE_ALL_INSECURE_REQUESTS, kHttpsOrigin1},
+      {kHttpOrigin1WithHttpsPort, kHttpsOrigin2,
+       URLRequest::UPGRADE_ALL_INSECURE_REQUESTS, kHttpsOrigin1},
+
+      // UPGRADE_SAME_HOST_INSECURE_REQUESTS upgrades insecure requests when the
+      // url's and initiator's hosts match.
+      {kHttpOrigin1WithHttpsPort, kHttpOrigin1,
+       URLRequest::UPGRADE_SAME_HOST_INSECURE_REQUESTS, kHttpsOrigin1},
+      {kHttpOrigin1, kHttpOrigin2,
+       URLRequest::UPGRADE_SAME_HOST_INSECURE_REQUESTS, GURL::EmptyGURL()},
+      {kHttpOrigin1WithHttpsPort, kHttpsOrigin1,
+       URLRequest::UPGRADE_SAME_HOST_INSECURE_REQUESTS, kHttpsOrigin1},
+      {kHttpOrigin1, kHttpsOrigin2,
+       URLRequest::UPGRADE_SAME_HOST_INSECURE_REQUESTS, GURL::EmptyGURL()},
+  };
+
+  for (const auto& test : cases) {
+    SCOPED_TRACE(testing::Message() << "Target: " << test.target
+                                    << " Initiator: " << test.initiator
+                                    << " Policy: " << test.policy);
+    VerifyUpgradeAfterRedirect(test.target, test.initiator, test.policy,
+                               test.upgraded_url);
+  }
+}
+
 class URLRequestTestReferrerPolicy : public URLRequestTest {
  public:
   URLRequestTestReferrerPolicy() {}