CSP: Add test: Allow port upgrade without scheme upgrade and vice versa.

third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp

Index: third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp b/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
index 5fb8f9373c800ba405f2d7b395dc76b2dd11f347..a1beb0e35e9ec1af9d5db7c45fac400007ddd93c 100644
--- a/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
@@ -141,24 +141,40 @@ TEST_F(CSPSourceTest, InsecureHostSchemeMatchesSecureScheme) {
 
 TEST_F(CSPSourceTest, InsecureHostSchemePortMatchesSecurePort) {
   KURL base;
-  CSPSource source(csp.get(), "http", "example.com", 80, "/",
-                   CSPSource::NoWildcard, CSPSource::NoWildcard);
-  EXPECT_TRUE(source.matches(KURL(base, "http://example.com/")));
-  EXPECT_TRUE(source.matches(KURL(base, "http://example.com:80/")));
-  EXPECT_TRUE(source.matches(KURL(base, "http://example.com:443/")));
-  EXPECT_TRUE(source.matches(KURL(base, "https://example.com/")));
-  EXPECT_TRUE(source.matches(KURL(base, "https://example.com:80/")));
-  EXPECT_TRUE(source.matches(KURL(base, "https://example.com:443/")));
-
-  EXPECT_FALSE(source.matches(KURL(base, "http://example.com:8443/")));
-  EXPECT_FALSE(source.matches(KURL(base, "https://example.com:8443/")));
-
-  EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com/")));
-  EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com:80/")));
-  EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com:443/")));
-  EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com/")));
-  EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:80/")));
-  EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:443/")));
+
+  // source scheme is "http"
+  {
+    CSPSource source(csp.get(), "http", "example.com", 80, "/",
+                     CSPSource::NoWildcard, CSPSource::NoWildcard);
+    EXPECT_TRUE(source.matches(KURL(base, "http://example.com/")));
+    EXPECT_TRUE(source.matches(KURL(base, "http://example.com:80/")));
+    EXPECT_TRUE(source.matches(KURL(base, "http://example.com:443/")));

[Mike West, 2017/02/15 06:40:02]

Here too. :)

[arthursonzogni, 2017/02/15 12:17:51]

Done. BUG=692499

+    EXPECT_TRUE(source.matches(KURL(base, "https://example.com/")));
+    EXPECT_TRUE(source.matches(KURL(base, "https://example.com:80/")));

[Mike West, 2017/02/15 06:40:02]

Also here.

[arthursonzogni, 2017/02/15 12:17:51]

Done. BUG=692499

+    EXPECT_TRUE(source.matches(KURL(base, "https://example.com:443/")));
+
+    EXPECT_FALSE(source.matches(KURL(base, "http://example.com:8443/")));
+    EXPECT_FALSE(source.matches(KURL(base, "https://example.com:8443/")));
+
+    EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com/")));
+    EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com:80/")));
+    EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com:443/")));
+    EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com/")));
+    EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:80/")));
+    EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:443/")));
+  }
+
+  // source scheme is empty
+  {
+    Persistent<ContentSecurityPolicy> csp(ContentSecurityPolicy::create());
+    csp->setupSelf(*SecurityOrigin::createFromString("http://example.com"));
+    CSPSource source(csp.get(), "", "example.com", 80, "/",
+                     CSPSource::NoWildcard, CSPSource::NoWildcard);
+    EXPECT_TRUE(source.matches(KURL(base, "http://example.com/")));
+    EXPECT_TRUE(source.matches(KURL(base, "https://example.com:443")));
+    // This is strange, the port is upgraded, even if the scheme is not https.
+    EXPECT_TRUE(source.matches(KURL(base, "http://example.com:443")));

[Mike West, 2017/02/15 06:40:02]

Please file a bug and turn this into a TODO.

[arthursonzogni, 2017/02/15 12:17:51]

Done. BUG=692499

+  }
 }
 
 TEST_F(CSPSourceTest, DoesNotSubsume) {