Implement ContentSecurityPolicy on the browser-side.

content/common/content_security_policy/csp_source_list_unittest.cc

Index: content/common/content_security_policy/csp_source_list_unittest.cc
diff --git a/content/common/content_security_policy/csp_source_list_unittest.cc b/content/common/content_security_policy/csp_source_list_unittest.cc
new file mode 100644
index 0000000000000000000000000000000000000000..3edba23f8efce5c30e808ed654bd40dffe14a6e0
--- /dev/null
+++ b/content/common/content_security_policy/csp_source_list_unittest.cc
@@ -0,0 +1,133 @@
+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "content/common/content_security_policy/csp_source_list.h"
+#include "content/common/content_security_policy/csp_context.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace content {
+
+namespace {
+
+class CSPContextTest : public CSPContext {
+ public:
+  void AddSchemeToBypassCSP(const std::string& scheme) {
+    scheme_to_bypass_.push_back(scheme);
+  }
+
+  bool SchemeShouldBypassCSP(const base::StringPiece& scheme) override {
+    return std::find(scheme_to_bypass_.begin(), scheme_to_bypass_.end(),
+                     scheme) != scheme_to_bypass_.end();
+  }
+
+ private:
+  std::vector<std::string> scheme_to_bypass_;
+};
+}
+
+TEST(CSPSourceListTest, MultipleSource) {
+  CSPContextTest context;
+  context.SetSelf(url::Origin(GURL("http://example.com")));
+  CSPSourceList source_list(
+      false,  // allow_self
+      false,  // allow_star:
+      {CSPSource("", "a.com", false, url::PORT_UNSPECIFIED, false, ""),
+       CSPSource("", "b.com", false, url::PORT_UNSPECIFIED, false, "")});
+  EXPECT_TRUE(source_list.Allow(&context, GURL("http://a.com")));
+  EXPECT_TRUE(source_list.Allow(&context, GURL("http://b.com")));
+  EXPECT_FALSE(source_list.Allow(&context, GURL("http://c.com")));
+}
+
+TEST(CSPSourceList, AllowStar) {
+  CSPContextTest context;
+  context.SetSelf(url::Origin(GURL("http://example.com")));
+  CSPSourceList source_list(false,                      // allow_self
+                            true,                       // allow_star:
+                            std::vector<CSPSource>());  // source_list
+  EXPECT_TRUE(source_list.Allow(&context, GURL("http://not-example.com")));
+  EXPECT_TRUE(source_list.Allow(&context, GURL("https://no-example.com")));

[Mike West, 2017/02/13 14:10:51]

Nit: Please use `not-example.com` throughout.

[arthursonzogni, 2017/02/14 17:07:03]

Done.

+  EXPECT_TRUE(source_list.Allow(&context, GURL("http-so://no-example.com")));
+  EXPECT_TRUE(source_list.Allow(&context, GURL("https-so://no-example.com")));
+  EXPECT_TRUE(source_list.Allow(&context, GURL("ws://no-example.com")));
+  EXPECT_TRUE(source_list.Allow(&context, GURL("wss://no-example.com")));
+  EXPECT_TRUE(source_list.Allow(&context, GURL("ftp://no-example.com")));
+
+  EXPECT_FALSE(source_list.Allow(&context, GURL("file://no-example.com")));
+  EXPECT_FALSE(source_list.Allow(&context, GURL("applewebdata://a.test")));
+
+  // With a protocol of 'file', '*' allow 'file:'
+  context.SetSelf(url::Origin(GURL("file://example.com")));
+  EXPECT_TRUE(source_list.Allow(&context, GURL("file://no-example.com")));
+  EXPECT_FALSE(source_list.Allow(&context, GURL("applewebdata://a.test")));
+}
+
+TEST(CSPSourceList, AllowSelf) {
+  CSPContextTest context;
+  context.SetSelf(url::Origin(GURL("http://example.com")));
+  CSPSourceList source_list(true,                       // allow_self
+                            false,                      // allow_star:
+                            std::vector<CSPSource>());  // source_list
+  EXPECT_TRUE(source_list.Allow(&context, GURL("http://example.com")));
+  EXPECT_FALSE(source_list.Allow(&context, GURL("http://not-example.com")));
+  EXPECT_TRUE(source_list.Allow(&context, GURL("https://example.com")));
+  EXPECT_FALSE(source_list.Allow(&context, GURL("ws://example.com")));
+}
+
+TEST(CSPSourceList, AllowSelfWithFilesystem) {
+  CSPContextTest context;
+  context.SetSelf(url::Origin(GURL("https://a.test")));
+  CSPSourceList source_list(true,                       // allow_self
+                            false,                      // allow_star:
+                            std::vector<CSPSource>());  // source_list
+
+  GURL filesystem_url("filesystem:https://a.test/file.txt");
+
+  EXPECT_TRUE(source_list.Allow(&context, GURL("https://a.test/")));
+  EXPECT_FALSE(source_list.Allow(&context, filesystem_url));
+
+  context.AddSchemeToBypassCSP("https");
+
+  EXPECT_TRUE(source_list.Allow(&context, GURL("https://a.test/")));
+  EXPECT_TRUE(source_list.Allow(&context, filesystem_url));
+}
+
+TEST(CSPSourceList, AllowSelfWithBlob) {
+  CSPContextTest context;
+  context.SetSelf(url::Origin(GURL("https://a.test")));
+  CSPSourceList source_list(true,                       // allow_self

[Mike West, 2017/02/13 14:10:51]

Please add a test verifying `'self' blob:` and `'self' filesystem:`.

[arthursonzogni, 2017/02/14 17:07:03]

I am not sure to understand what is the purpose. Can you explain what do you
want to test?
I will add a test I think is useful, I hope it will be what you were thinking
of.

Please see:
https://codereview.chromium.org/2691063003/

+                            false,                      // allow_star:
+                            std::vector<CSPSource>());  // source_list
+
+  EXPECT_TRUE(source_list.Allow(&context, GURL("https://a.test/")));
+  EXPECT_FALSE(source_list.Allow(&context, GURL("blob:https://a.test/")));
+
+  context.AddSchemeToBypassCSP("https");
+
+  EXPECT_TRUE(source_list.Allow(&context, GURL("https://a.test/")));
+  EXPECT_TRUE(source_list.Allow(&context, GURL("blob:https://a.test/")));
+}
+
+TEST(CSPSourceList, AllowSelfWithUnspecifiedPort) {
+  CSPContext context;
+  context.SetSelf(url::Origin(GURL("chrome://print")));
+  CSPSourceList source_list(true,                       // allow_self
+                            false,                      // allow_star:
+                            std::vector<CSPSource>());  // source_list
+
+  EXPECT_TRUE(source_list.Allow(
+      &context,
+      GURL("chrome://print/pdf_preview.html?chrome://print/1/0/print.pdf")));
+}
+
+TEST(CSPSourceList, AllowNone) {
+  CSPContextTest context;
+  context.SetSelf(url::Origin(GURL("http://example.com")));
+  CSPSourceList source_list(false,                      // allow_self
+                            false,                      // allow_star:
+                            std::vector<CSPSource>());  // source_list
+  EXPECT_FALSE(source_list.Allow(&context, GURL("http://example.com")));
+  EXPECT_FALSE(source_list.Allow(&context, GURL("https://example.test/")));
+}
+
+}  // namespace content