Implement ContentSecurityPolicy on the browser-side.

content/common/content_security_policy/csp_context_unittest.cc

Index: content/common/content_security_policy/csp_context_unittest.cc
diff --git a/content/common/content_security_policy/csp_context_unittest.cc b/content/common/content_security_policy/csp_context_unittest.cc
new file mode 100644
index 0000000000000000000000000000000000000000..dd508e00b53a6c52befd359112f74b18152e6ca1
--- /dev/null
+++ b/content/common/content_security_policy/csp_context_unittest.cc
@@ -0,0 +1,84 @@
+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "content/common/content_security_policy/csp_context.h"
+#include "content/common/content_security_policy_header.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace content {
+
+namespace {
+
+class CSPContextTest : public CSPContext {
+ public:
+  const std::string& LastConsoleMessage() { return console_message_; }
+
+  void AddSchemeToBypassCSP(const std::string& scheme) {
+    scheme_to_bypass_.push_back(scheme);
+  }
+
+  bool SchemeShouldBypassCSP(const base::StringPiece& scheme) override {
+    return std::find(scheme_to_bypass_.begin(), scheme_to_bypass_.end(),
+                     scheme) != scheme_to_bypass_.end();
+  }
+
+ private:
+  void LogToConsole(const std::string& message) override {
+    console_message_ = message;
+  }
+  std::string console_message_;
+  std::vector<std::string> scheme_to_bypass_;
+};
+
+// Build a new policy made of only one directive and no report endpoints.
+ContentSecurityPolicy BuildPolicy(CSPDirective::Name directive_name,
+                                  std::vector<CSPSource> sources) {
+  return ContentSecurityPolicy(
+      blink::WebContentSecurityPolicyTypeEnforce,
+      blink::WebContentSecurityPolicySourceHTTP,
+      {CSPDirective(directive_name, CSPSourceList(false, false, sources))},
+      std::vector<std::string>(),  // report_end_points
+      std::string());              // header
+}
+
+}  // namespace;
+
+TEST(CSPContextTest, SchemeShouldBypassCSP) {
+  CSPContextTest context;
+  CSPSource source("", "example.com", false, url::PORT_UNSPECIFIED, false, "");
+  ContentSecurityPolicy policy =
+      BuildPolicy(CSPDirective::DefaultSrc, {source});
+  EXPECT_FALSE(context.Allow({policy}, CSPDirective::FrameSrc,
+                             GURL("data:text/html,<html></html>")));
+  context.AddSchemeToBypassCSP("data");
+  EXPECT_TRUE(context.Allow({policy}, CSPDirective::FrameSrc,
+                            GURL("data:text/html,<html></html>")));
+}
+
+TEST(CSPContextTest, MultiplePolicies) {
+  CSPContextTest context;
+  context.SetSelf(url::Origin(GURL("http://example.com")));
+
+  CSPSource source_a("", "a.com", false, url::PORT_UNSPECIFIED, false, "");
+  CSPSource source_b("", "b.com", false, url::PORT_UNSPECIFIED, false, "");
+  CSPSource source_c("", "c.com", false, url::PORT_UNSPECIFIED, false, "");
+
+  ContentSecurityPolicy policy1 =
+      BuildPolicy(CSPDirective::FrameSrc, {source_a, source_b});
+  ContentSecurityPolicy policy2 =
+      BuildPolicy(CSPDirective::FrameSrc, {source_a, source_c});
+
+  std::vector<ContentSecurityPolicy> policies = {policy1, policy2};
+
+  EXPECT_TRUE(
+      context.Allow(policies, CSPDirective::FrameSrc, GURL("http://a.com")));
+  EXPECT_FALSE(
+      context.Allow(policies, CSPDirective::FrameSrc, GURL("http://b.com")));
+  EXPECT_FALSE(
+      context.Allow(policies, CSPDirective::FrameSrc, GURL("http://c.com")));
+  EXPECT_FALSE(
+      context.Allow(policies, CSPDirective::FrameSrc, GURL("http://d.com")));
+}
+
+}  // namespace content