Content-Security-Policy: Add tests when source scheme is empty.

third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "core/frame/csp/CSPSource.h"
 
 #include "core/dom/Document.h"
 #include "core/frame/csp/ContentSecurityPolicy.h"
 #include "platform/network/ResourceRequest.h"
 #include "platform/weborigin/KURL.h"
@@ skipping 121 matching lines @@
   KURL base;
   CSPSource source(csp.get(), "http", "example.com", 0, "/",
                    CSPSource::NoWildcard, CSPSource::HasWildcard);
 
   EXPECT_TRUE(source.matches(KURL(base, "http://example.com:8000/")));
   EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com:8000/")));
   EXPECT_TRUE(source.matches(KURL(base, "https://example.com:8000/")));
   EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:8000/")));
 }
 
+TEST_F(CSPSourceTest, SchemeIsEmpty) {
+  KURL base;
+
+  // Self scheme is http.
+  {
+    Persistent<ContentSecurityPolicy> csp(ContentSecurityPolicy::create());
+    csp->setupSelf(*SecurityOrigin::createFromString("http://a.com/"));
+    CSPSource source(csp.get(), "", "a.com", 0, "/", CSPSource::NoWildcard,
+                     CSPSource::NoWildcard);
+    EXPECT_TRUE(source.matches(KURL(base, "http://a.com")));
+    EXPECT_TRUE(source.matches(KURL(base, "https://a.com")));
+    EXPECT_TRUE(source.matches(KURL(base, "http-so://a.com")));
+    EXPECT_TRUE(source.matches(KURL(base, "https-so://a.com")));
+    EXPECT_FALSE(source.matches(KURL(base, "ftp://a.com")));
+  }
+
+  // Self scheme is https.
+  {
+    Persistent<ContentSecurityPolicy> csp(ContentSecurityPolicy::create());
+    csp->setupSelf(*SecurityOrigin::createFromString("https://a.com/"));
+    CSPSource source(csp.get(), "", "a.com", 0, "/", CSPSource::NoWildcard,
+                     CSPSource::NoWildcard);
+    EXPECT_FALSE(source.matches(KURL(base, "http://a.com")));
+    EXPECT_TRUE(source.matches(KURL(base, "https://a.com")));
+    EXPECT_FALSE(source.matches(KURL(base, "http-so://a.com")));
+    EXPECT_FALSE(source.matches(KURL(base, "https-so://a.com")));

[arthursonzogni, 2017/02/14 12:54:22]

Same unexpected behavior as in https://codereview.chromium.org/2691063003/
Do you think I should fill a bug report?

[Mike West, 2017/02/15 06:46:00]

Yes, please file a bug and add a TODO. I don't know if we ever see a suborigin
serialization when we're hitting CSP (I don't think we do), but we should make
sure that the behavior is sane.

I'm more worried about this in the browser process than in Blink, though. Part
of the serialization mess we've created is to bridge that gap. :/

[arthursonzogni, 2017/02/15 12:00:14]

Done, BUG=692442

+    EXPECT_FALSE(source.matches(KURL(base, "ftp://a.com")));
+  }
+
+  // Self scheme is not in the http familly.
+  {
+    Persistent<ContentSecurityPolicy> csp(ContentSecurityPolicy::create());
+    csp->setupSelf(*SecurityOrigin::createFromString("ftp://a.com/"));
+    CSPSource source(csp.get(), "", "a.com", 0, "/", CSPSource::NoWildcard,
+                     CSPSource::NoWildcard);
+    EXPECT_FALSE(source.matches(KURL(base, "http://a.com")));
+    EXPECT_TRUE(source.matches(KURL(base, "ftp://a.com")));
+  }
+
+  // Self scheme is unique
+  {
+    Persistent<ContentSecurityPolicy> csp(ContentSecurityPolicy::create());
+    csp->setupSelf(
+        *SecurityOrigin::createFromString("non-standard-scheme://a.com/"));
+    CSPSource source(csp.get(), "", "a.com", 0, "/", CSPSource::NoWildcard,
+                     CSPSource::NoWildcard);
+    EXPECT_FALSE(source.matches(KURL(base, "http://a.com")));
+    EXPECT_FALSE(source.matches(KURL(base, "non-standard-scheme://a.com")));

[arthursonzogni, 2017/02/14 12:54:23]

Same behavior as in https://codereview.chromium.org/2691063003/
Maybe this case doesn't happens in practice though.
It is nice to keep this test to detect future changes.

[Mike West, 2017/02/15 06:46:00]

Please file a bug and add a TODO. This seems wrong.

[arthursonzogni, 2017/02/15 12:00:14]

Done. BUG=692449

+  }
+}
+
 TEST_F(CSPSourceTest, InsecureHostSchemePortMatchesSecurePort) {
   KURL base;
   CSPSource source(csp.get(), "http", "example.com", 80, "/",
                    CSPSource::NoWildcard, CSPSource::NoWildcard);
   EXPECT_TRUE(source.matches(KURL(base, "http://example.com/")));
   EXPECT_TRUE(source.matches(KURL(base, "http://example.com:80/")));
   EXPECT_TRUE(source.matches(KURL(base, "http://example.com:443/")));
   EXPECT_TRUE(source.matches(KURL(base, "https://example.com/")));
   EXPECT_TRUE(source.matches(KURL(base, "https://example.com:80/")));
   EXPECT_TRUE(source.matches(KURL(base, "https://example.com:443/")));
@@ skipping 628 matching lines @@
     normalized = B->intersect(A);
     Source intersectBA = {
         normalized->m_scheme,       normalized->m_host,
         normalized->m_path,         normalized->m_port,
         normalized->m_hostWildcard, normalized->m_portWildcard};
     EXPECT_TRUE(equalSources(intersectBA, test.normalized));
   }
 }
 
 }  // namespace blink