Experimental Feature: Allow-CSP-From header

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp

Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
index c9dd09510cad457de3a815e15e8a6cca340ea468..ec47c9117e29867a977690747ca68547e7ba362f 100644
--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
@@ -862,4 +862,56 @@ TEST_F(ContentSecurityPolicyTest, NonceMultiplePolicy) {
   }
 }
 
+TEST_F(ContentSecurityPolicyTest, ShouldEnforceEmbeddersPolicy) {
+  struct TestCase {
+    const char* resourceURL;
+    const bool inherits;
+  } cases[] = {
+      // Same-origin
+      {"https://example.test/index.html", true},
+      // Cross-origin
+      {"http://example.test/index.html", false},
+      {"http://example.test:8443/index.html", false},
+      {"https://example.test:8443/index.html", false},
+      {"http://not.example.test/index.html", false},
+      {"https://not.example.test/index.html", false},
+      {"https://not.example.test:8443/index.html", false},
+
+      // Inherit
+      {"about:blank", true},
+      {"data:text/html,yay", true},
+      {"blob:https://example.test/bbe708f3-defd-4852-93b6-cf94e032f08d", true},
+      {"filesystem:http://example.test/temporary/index.html", true},
+  };
+
+  for (const auto& test : cases) {
+    ResourceResponse response;
+    response.setURL(KURL(ParsedURLString, test.resourceURL));
+    EXPECT_EQ(ContentSecurityPolicy::shouldEnforceEmbeddersPolicy(
+                  response, secureOrigin.get()),
+              test.inherits);
+
+    response.setHTTPHeaderField(HTTPNames::Allow_CSP_From, AtomicString("*"));
+    EXPECT_TRUE(ContentSecurityPolicy::shouldEnforceEmbeddersPolicy(
+        response, secureOrigin.get()));
+
+    response.setHTTPHeaderField(HTTPNames::Allow_CSP_From,
+                                AtomicString("* not a valid header"));
+    EXPECT_EQ(ContentSecurityPolicy::shouldEnforceEmbeddersPolicy(
+                  response, secureOrigin.get()),
+              test.inherits);
+
+    response.setHTTPHeaderField(HTTPNames::Allow_CSP_From,
+                                AtomicString("http://example.test"));
+    EXPECT_EQ(ContentSecurityPolicy::shouldEnforceEmbeddersPolicy(
+                  response, secureOrigin.get()),
+              test.inherits);
+
+    response.setHTTPHeaderField(HTTPNames::Allow_CSP_From,
+                                AtomicString("https://example.test"));
+    EXPECT_TRUE(ContentSecurityPolicy::shouldEnforceEmbeddersPolicy(
+        response, secureOrigin.get()));
+  }
+}
+
 }  // namespace blink