Implement ContentSecurityPolicy on the browser-side.

content/common/content_security_policy/csp_source_unittest.cc

Index: content/common/content_security_policy/csp_source_unittest.cc
diff --git a/content/common/content_security_policy/csp_source_unittest.cc b/content/common/content_security_policy/csp_source_unittest.cc
new file mode 100644
index 0000000000000000000000000000000000000000..a98c7ce5a2712e1b401788ae28df5c5c61be7a99
--- /dev/null
+++ b/content/common/content_security_policy/csp_source_unittest.cc
@@ -0,0 +1,298 @@
+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "content/common/content_security_policy/csp_context.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace content {
+
+TEST(CSPSourceTest, BasicMatching) {
+  CSPContext context;
+
+  CSPSource source("http", "example.com", false, 8000, false, "/foo/");

[Mike West, 2017/02/13 14:10:51]

Can you add a check for a source without a trailing `/`? That is, the URL
`/foo/bar` should not match the CSPSource of `/foo`.

[arthursonzogni, 2017/02/14 17:07:03]

This is done in CSPSourceTest.AllowPath, section "path to a file" and "path to a
directory"

I copied this test as-is from its blink equivalent.

+
+  EXPECT_TRUE(source.Allow(&context, GURL("http://example.com:8000/foo/")));
+  EXPECT_TRUE(source.Allow(&context, GURL("http://example.com:8000/foo/bar")));
+  EXPECT_TRUE(source.Allow(&context, GURL("HTTP://EXAMPLE.com:8000/foo/BAR")));

[Mike West, 2017/02/13 14:10:51]

Can you add a check that `https://example.com:8000` matches
`http://example.com:8000`? (Upgrades are always allowed)

[arthursonzogni, 2017/02/14 17:07:03]

It is the same here, it is done in CSPSourceTest.AllowScheme section "http ->
{http, https}"

+
+  EXPECT_FALSE(source.Allow(&context, GURL("http://example.com:8000/bar/")));
+  EXPECT_FALSE(source.Allow(&context, GURL("https://example.com:8000/bar/")));
+  EXPECT_FALSE(source.Allow(&context, GURL("http://example.com:9000/bar/")));
+  EXPECT_FALSE(source.Allow(&context, GURL("HTTP://example.com:8000/FOO/bar")));
+  EXPECT_FALSE(source.Allow(&context, GURL("HTTP://example.com:8000/FOO/BAR")));
+}
+
+TEST(CSPSourceTest, AllowScheme) {
+  CSPContext context;
+
+  // http -> { http, https}.
+  {
+    CSPSource source("http", "", false, url::PORT_UNSPECIFIED, false, "");
+    EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));
+    EXPECT_TRUE(source.Allow(&context, GURL("https://a.com")));
+    EXPECT_FALSE(source.Allow(&context, GURL("ftp://a.com")));
+    EXPECT_FALSE(source.Allow(&context, GURL("ws://a.com")));
+    EXPECT_FALSE(source.Allow(&context, GURL("wss://a.com")));
+  }
+
+  // ws -> { ws, wss}.
+  {
+    CSPSource source("ws", "", false, url::PORT_UNSPECIFIED, false, "");
+    EXPECT_FALSE(source.Allow(&context, GURL("http://a.com")));
+    EXPECT_FALSE(source.Allow(&context, GURL("https://a.com")));
+    EXPECT_FALSE(source.Allow(&context, GURL("ftp://a.com")));
+    EXPECT_TRUE(source.Allow(&context, GURL("ws://a.com")));
+    EXPECT_TRUE(source.Allow(&context, GURL("wss://a.com")));
+  }
+
+  // Exact matches required (ftp)
+  {
+    CSPSource source("ftp", "", false, url::PORT_UNSPECIFIED, false, "");
+    EXPECT_TRUE(source.Allow(&context, GURL("ftp://a.com")));
+    EXPECT_FALSE(source.Allow(&context, GURL("http://a.com")));
+  }
+
+  // Exact matches required (https)
+  {
+    CSPSource source("https", "", false, url::PORT_UNSPECIFIED, false, "");
+    EXPECT_TRUE(source.Allow(&context, GURL("https://a.com")));
+    EXPECT_FALSE(source.Allow(&context, GURL("http://a.com")));
+  }
+
+  // Exact matches required (wss)
+  {
+    CSPSource source("wss", "", false, url::PORT_UNSPECIFIED, false, "");
+    EXPECT_TRUE(source.Allow(&context, GURL("wss://a.com")));
+    EXPECT_FALSE(source.Allow(&context, GURL("ws://a.com")));
+  }
+
+  // Scheme is empty (ProtocolMatchesSelf).
+  {
+    CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "");
+    EXPECT_FALSE(source.Allow(&context, GURL("http://a.com")));
+
+    // Self's scheme is http.
+    context.SetSelf(url::Origin(GURL("http://a.com")));
+    EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));
+    EXPECT_TRUE(source.Allow(&context, GURL("https://a.com")));
+    EXPECT_TRUE(source.Allow(&context, GURL("http-so://a.com")));
+    EXPECT_TRUE(source.Allow(&context, GURL("https-so://a.com")));
+    EXPECT_FALSE(source.Allow(&context, GURL("ftp://a.com")));
+
+    // Self's is https.
+    context.SetSelf(url::Origin(GURL("https://a.com")));
+    EXPECT_FALSE(source.Allow(&context, GURL("http://a.com")));
+    EXPECT_TRUE(source.Allow(&context, GURL("https://a.com")));
+    EXPECT_FALSE(source.Allow(&context, GURL("http-so://a.com")));
+    // REVIEW(): Is it the correct behavior?
+    EXPECT_FALSE(source.Allow(&context, GURL("https-so://a.com")));

[Mike West, 2017/02/13 14:10:51]

This seems wrong. We should be treating `https-so` as `https` here, as we're
inside fetch, which does not care about the origin's serialization.

[arthursonzogni, 2017/02/14 17:07:03]

Same results on the renderer-side:
https://codereview.chromium.org/2694233002/

[Mike West, 2017/02/15 16:18:17]

Actually, this makes sense now that I think about it. The suborigin
serialization treats the leftmost DNS label as the suborigin. So this is really
`https://com` with a suborigin of `a`, which doesn't (and shouldn't) match
`a.com`. Sorry for my confusion.

+    EXPECT_FALSE(source.Allow(&context, GURL("ftp://a.com")));
+
+    // Self's scheme is not in the http familly.
+    context.SetSelf(url::Origin(GURL("ftp://a.com/")));
+    EXPECT_FALSE(source.Allow(&context, GURL("http://a.com")));
+    EXPECT_TRUE(source.Allow(&context, GURL("ftp://a.com")));
+
+    // Self's scheme is unique.
+    context.SetSelf(url::Origin(GURL("non-standard-scheme://a.com")));
+    EXPECT_FALSE(source.Allow(&context, GURL("http://a.com")));
+    EXPECT_FALSE(source.Allow(&context, GURL("non-standard-scheme://a.com")));

[Mike West, 2017/02/13 14:10:51]

This seems wrong too. This should match.

That said, I'm not sure we can ever cause it to happen for a navigation, as
anything on a non-standard scheme is going to be rendering in something other
than Blink.

[arthursonzogni, 2017/02/14 17:07:03]

Same results on the renderer-side.
https://codereview.chromium.org/2694233002/

+  }
+}
+
+TEST(CSPSourceTest, AllowHost) {
+  CSPContext context;
+  context.SetSelf(url::Origin(GURL("http://example.com")));
+
+  // Host is * (source-expression = "http://*")
+  {
+    CSPSource source("http", "", true, url::PORT_UNSPECIFIED, false, "");
+    EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));
+    EXPECT_TRUE(source.Allow(&context, GURL("http://.")));
+  }
+
+  // Host is *.foo.bar
+  {
+    CSPSource source("", "foo.bar", true, url::PORT_UNSPECIFIED, false, "");
+    EXPECT_FALSE(source.Allow(&context, GURL("http://a.com")));
+    EXPECT_FALSE(source.Allow(&context, GURL("http://bar")));
+    EXPECT_FALSE(source.Allow(&context, GURL("http://foo.bar")));
+    EXPECT_FALSE(source.Allow(&context, GURL("http://o.bar")));
+    EXPECT_TRUE(source.Allow(&context, GURL("http://*.foo.bar")));
+    EXPECT_TRUE(source.Allow(&context, GURL("http://sub.foo.bar")));
+    EXPECT_TRUE(source.Allow(&context, GURL("http://sub.sub.foo.bar")));
+    // FOR-REVIEWER: strange case?
+    EXPECT_TRUE(source.Allow(&context, GURL("http://.foo.bar")));

[Mike West, 2017/02/13 14:10:51]

Doesn't the `.` get normalized away?

[arthursonzogni, 2017/02/14 17:07:03]

No, I tried and got:
GURL("http://foo.bar") != GURL("http://.foo.bar")

Same results on the renderer-side:
https://codereview.chromium.org/2697853002/

+  }
+
+  // Host is exact.
+  {
+    CSPSource source("", "foo.bar", false, url::PORT_UNSPECIFIED, false, "");
+    EXPECT_TRUE(source.Allow(&context, GURL("http://foo.bar")));
+    EXPECT_FALSE(source.Allow(&context, GURL("http://sub.foo.bar")));
+    EXPECT_FALSE(source.Allow(&context, GURL("http://bar")));
+    EXPECT_FALSE(source.Allow(&context, GURL("http://.foo.bar")));

[Mike West, 2017/02/13 14:10:51]

This surprises me.

[arthursonzogni, 2017/02/14 17:07:03]

Same result on the renderer-side:
https://codereview.chromium.org/2697853002/

+  }
+}
+
+TEST(CSPSourceTest, AllowPort) {
+  CSPContext context;
+  context.SetSelf(url::Origin(GURL("http://example.com")));
+
+  // Source's port unspecified.
+  {
+    CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "");
+    EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:80")));
+    EXPECT_FALSE(source.Allow(&context, GURL("http://a.com:8080")));
+    EXPECT_FALSE(source.Allow(&context, GURL("http://a.com:443")));
+    EXPECT_FALSE(source.Allow(&context, GURL("https://a.com:80")));
+    EXPECT_FALSE(source.Allow(&context, GURL("https://a.com:8080")));
+    EXPECT_TRUE(source.Allow(&context, GURL("https://a.com:443")));
+    EXPECT_FALSE(source.Allow(&context, GURL("unknown://a.com:80")));
+    EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));

[Mike West, 2017/02/13 14:10:51]

Can you add `https://a.com` as well?

[arthursonzogni, 2017/02/14 17:07:03]

Done.

+  }
+
+  // Source's port is "*".
+  {
+    CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, true, "");
+    EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));
+    EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:80")));
+    EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:8080")));
+    EXPECT_TRUE(source.Allow(&context, GURL("https://a.com:8080")));
+    EXPECT_TRUE(source.Allow(&context, GURL("https://a.com:0")));
+    EXPECT_TRUE(source.Allow(&context, GURL("https://a.com")));
+  }
+
+  // Source has a port.
+  {
+    CSPSource source("", "a.com", false, 80, false, "");
+    EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:80")));
+    EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));
+    EXPECT_FALSE(source.Allow(&context, GURL("http://a.com:8080")));
+    EXPECT_TRUE(source.Allow(&context, GURL("https://a.com")));
+  }
+
+  // Allow upgrade from :80 to :443
+  {
+    CSPSource source("", "a.com", false, 80, false, "");
+    EXPECT_TRUE(source.Allow(&context, GURL("https://a.com:443")));
+    // REVIEW(arthursonzogni): Is it expected?
+    EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:443")));

[Mike West, 2017/02/13 14:10:51]

Seems weird. Does this work in Blink today?

[arthursonzogni, 2017/02/14 17:07:03]

Yes it works on blink today.
Please see: https://codereview.chromium.org/2689363003

+  }
+
+  // Host is * but port is specified
+  {
+    CSPSource source("http", "", true, 111, false, "");
+    EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:111")));
+    EXPECT_FALSE(source.Allow(&context, GURL("http://a.com:222")));
+  }
+}
+
+TEST(CSPSourceTest, AllowPath) {
+  CSPContext context;
+  context.SetSelf(url::Origin(GURL("http://example.com")));
+
+  // Path to a file
+  {
+    CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false,
+                     "/path/to/file");
+    EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/file")));

[Mike West, 2017/02/13 14:10:51]

Please add an expectation for `/path/to/file/with/subpath`

[arthursonzogni, 2017/02/14 17:07:03]

Nice catch. Done!

+    EXPECT_FALSE(source.Allow(&context, GURL("http://a.com/path/to/")));
+    EXPECT_FALSE(
+        source.Allow(&context, GURL("http://a.com/path/to/something")));
+  }
+
+  // Path to a directory
+  {
+    CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false,
+                     "/path/to/");
+    EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/file")));
+    EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/")));
+    EXPECT_FALSE(source.Allow(&context, GURL("http://a.com/path/")));
+    EXPECT_FALSE(source.Allow(&context, GURL("http://a.com/path/to")));
+    EXPECT_FALSE(source.Allow(&context, GURL("http://a.com/path/to")));
+  }
+
+  // Empty path
+  {
+    CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "");
+    EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/file")));
+    EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/")));
+    EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/")));
+    EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));
+  }
+
+  // Almost empty path
+  {
+    CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "/");
+    EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/file")));
+    EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/path/to/")));
+    EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/")));
+    EXPECT_TRUE(source.Allow(&context, GURL("http://a.com")));
+  }
+
+  // Path encoded.
+  {
+    CSPSource source("http", "a.com", false, url::PORT_UNSPECIFIED, false,
+                     "/Hello Günter");
+    EXPECT_TRUE(
+        source.Allow(&context, GURL("http://a.com/Hello%20G%C3%BCnter")));
+    EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/Hello Günter")));
+  }
+
+  // Host is * but path is specified.
+  {
+    CSPSource source("http", "", true, url::PORT_UNSPECIFIED, false,
+                     "/allowed-path");
+    EXPECT_TRUE(source.Allow(&context, GURL("http://a.com/allowed-path")));
+    EXPECT_FALSE(source.Allow(&context, GURL("http://a.com/disallowed-path")));
+  }
+}
+
+TEST(CSPSourceTest, RedirectMatching) {
+  CSPContext context;
+  CSPSource source("http", "a.com", false, 8000, false, "/bar/");
+  EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:8000/"), true));
+  EXPECT_TRUE(source.Allow(&context, GURL("http://a.com:8000/foo"), true));
+  EXPECT_TRUE(source.Allow(&context, GURL("https://a.com:8000/foo"), true));
+  EXPECT_FALSE(source.Allow(&context, GURL("http://not-a.com:8000/foo"), true));
+  EXPECT_FALSE(source.Allow(&context, GURL("http://a.com:9000/foo/"), false));
+}
+
+TEST(CSPSourceTest, ToString) {
+  {
+    CSPSource source("http", "", false, url::PORT_UNSPECIFIED, false, "");
+    EXPECT_EQ("http:", source.ToString());
+  }
+  {
+    CSPSource source("http", "a.com", false, url::PORT_UNSPECIFIED, false, "");
+    EXPECT_EQ("http://a.com", source.ToString());
+  }
+  {
+    CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "");
+    EXPECT_EQ("a.com", source.ToString());
+  }
+  {
+    CSPSource source("", "a.com", true, url::PORT_UNSPECIFIED, false, "");
+    EXPECT_EQ("*.a.com", source.ToString());
+  }
+  {
+    CSPSource source("", "", true, url::PORT_UNSPECIFIED, false, "");
+    EXPECT_EQ("*", source.ToString());
+  }
+  {
+    CSPSource source("", "a.com", false, 80, false, "");
+    EXPECT_EQ("a.com:80", source.ToString());
+  }
+  {
+    CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, true, "");
+    EXPECT_EQ("a.com:*", source.ToString());
+  }
+  {
+    CSPSource source("", "a.com", false, url::PORT_UNSPECIFIED, false, "/path");
+    EXPECT_EQ("a.com/path", source.ToString());
+  }
+}
+
+}  // namespace content