Content-Security-Policy: Add tests when source scheme is empty.

third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp

Index: third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp b/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
index 5fb8f9373c800ba405f2d7b395dc76b2dd11f347..2dede986277eea866b61aa3257b77222300416eb 100644
--- a/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
@@ -139,6 +139,57 @@ TEST_F(CSPSourceTest, InsecureHostSchemeMatchesSecureScheme) {
   EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:8000/")));
 }
 
+TEST_F(CSPSourceTest, SchemeIsEmpty) {
+  KURL base;
+
+  // Self scheme is http.
+  {
+    Persistent<ContentSecurityPolicy> csp(ContentSecurityPolicy::create());
+    csp->setupSelf(*SecurityOrigin::createFromString("http://a.com/"));
+    CSPSource source(csp.get(), "", "a.com", 0, "/", CSPSource::NoWildcard,
+                     CSPSource::NoWildcard);
+    EXPECT_TRUE(source.matches(KURL(base, "http://a.com")));
+    EXPECT_TRUE(source.matches(KURL(base, "https://a.com")));
+    EXPECT_TRUE(source.matches(KURL(base, "http-so://a.com")));
+    EXPECT_TRUE(source.matches(KURL(base, "https-so://a.com")));
+    EXPECT_FALSE(source.matches(KURL(base, "ftp://a.com")));
+  }
+
+  // Self scheme is https.
+  {
+    Persistent<ContentSecurityPolicy> csp(ContentSecurityPolicy::create());
+    csp->setupSelf(*SecurityOrigin::createFromString("https://a.com/"));
+    CSPSource source(csp.get(), "", "a.com", 0, "/", CSPSource::NoWildcard,
+                     CSPSource::NoWildcard);
+    EXPECT_FALSE(source.matches(KURL(base, "http://a.com")));
+    EXPECT_TRUE(source.matches(KURL(base, "https://a.com")));
+    EXPECT_FALSE(source.matches(KURL(base, "http-so://a.com")));
+    EXPECT_FALSE(source.matches(KURL(base, "https-so://a.com")));

[arthursonzogni, 2017/02/14 12:54:22]

Same unexpected behavior as in https://codereview.chromium.org/2691063003/
Do you think I should fill a bug report?

[Mike West, 2017/02/15 06:46:00]

Yes, please file a bug and add a TODO. I don't know if we ever see a suborigin
serialization when we're hitting CSP (I don't think we do), but we should make
sure that the behavior is sane.

I'm more worried about this in the browser process than in Blink, though. Part
of the serialization mess we've created is to bridge that gap. :/

[arthursonzogni, 2017/02/15 12:00:14]

Done, BUG=692442

+    EXPECT_FALSE(source.matches(KURL(base, "ftp://a.com")));
+  }
+
+  // Self scheme is not in the http familly.
+  {
+    Persistent<ContentSecurityPolicy> csp(ContentSecurityPolicy::create());
+    csp->setupSelf(*SecurityOrigin::createFromString("ftp://a.com/"));
+    CSPSource source(csp.get(), "", "a.com", 0, "/", CSPSource::NoWildcard,
+                     CSPSource::NoWildcard);
+    EXPECT_FALSE(source.matches(KURL(base, "http://a.com")));
+    EXPECT_TRUE(source.matches(KURL(base, "ftp://a.com")));
+  }
+
+  // Self scheme is unique
+  {
+    Persistent<ContentSecurityPolicy> csp(ContentSecurityPolicy::create());
+    csp->setupSelf(
+        *SecurityOrigin::createFromString("non-standard-scheme://a.com/"));
+    CSPSource source(csp.get(), "", "a.com", 0, "/", CSPSource::NoWildcard,
+                     CSPSource::NoWildcard);
+    EXPECT_FALSE(source.matches(KURL(base, "http://a.com")));
+    EXPECT_FALSE(source.matches(KURL(base, "non-standard-scheme://a.com")));

[arthursonzogni, 2017/02/14 12:54:23]

Same behavior as in https://codereview.chromium.org/2691063003/
Maybe this case doesn't happens in practice though.
It is nice to keep this test to detect future changes.

[Mike West, 2017/02/15 06:46:00]

Please file a bug and add a TODO. This seems wrong.

[arthursonzogni, 2017/02/15 12:00:14]

Done. BUG=692449

+  }
+}
+
 TEST_F(CSPSourceTest, InsecureHostSchemePortMatchesSecurePort) {
   KURL base;
   CSPSource source(csp.get(), "http", "example.com", 80, "/",