Content-Security-Policy: Backporting test of hostmatches in CSPSource.

third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp

Index: third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp b/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
index 5fb8f9373c800ba405f2d7b395dc76b2dd11f347..c382d068d9f358cf01b5010769e03b7345bff94d 100644
--- a/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
@@ -161,6 +161,44 @@ TEST_F(CSPSourceTest, InsecureHostSchemePortMatchesSecurePort) {
   EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:443/")));
 }
 
+TEST_F(CSPSourceTest, HostMatches) {
+  KURL base;
+  Persistent<ContentSecurityPolicy> csp(ContentSecurityPolicy::create());
+  csp->setupSelf(*SecurityOrigin::createFromString("http://a.com"));
+
+  // Host is * (source-expression = "http://*")
+  {
+    CSPSource source(csp.get(), "http", "", 0, "", CSPSource::HasWildcard,
+                     CSPSource::NoWildcard);
+    EXPECT_TRUE(source.matches(KURL(base, "http://a.com")));
+    EXPECT_TRUE(source.matches(KURL(base, "http://.")));
+  }
+
+  // Host is *.foo.bar
+  {
+    CSPSource source(csp.get(), "", "foo.bar", 0, "", CSPSource::HasWildcard,
+                     CSPSource::NoWildcard);
+    EXPECT_FALSE(source.matches(KURL(base, "http://a.com")));
+    EXPECT_FALSE(source.matches(KURL(base, "http://bar")));
+    EXPECT_FALSE(source.matches(KURL(base, "http://foo.bar")));
+    EXPECT_FALSE(source.matches(KURL(base, "http://o.bar")));
+    EXPECT_TRUE(source.matches(KURL(base, "http://*.foo.bar")));

[arthursonzogni, 2017/02/14 14:16:30]

It is strange to me(A wildcard in the host name), but why not.

[Mike West, 2017/02/15 06:43:49]

This should match. It gets canonicalized to something like `%2A.foo.bar`, which
matches `foo.bar` with a host wildcard.

[arthursonzogni, 2017/02/15 12:47:59]

Acknowledged.

+    EXPECT_TRUE(source.matches(KURL(base, "http://sub.foo.bar")));
+    EXPECT_TRUE(source.matches(KURL(base, "http://sub.sub.foo.bar")));
+    EXPECT_TRUE(source.matches(KURL(base, "http://.foo.bar")));

[arthursonzogni, 2017/02/14 14:16:30]

You said it looks strange to you. What do you think should be done?

[Mike West, 2017/02/15 06:43:49]

I did say that this looks strange. Please file a bug... I don't think it's a big
deal, as we apparently transparently rewrite `.example.com` to `example.com` for
navigations, but it's strange regardless.

[arthursonzogni, 2017/02/15 12:47:59]

Done. BUG=692505

+  }
+
+  // Host is exact.
+  {
+    CSPSource source(csp.get(), "", "foo.bar", 0, "", CSPSource::NoWildcard,
+                     CSPSource::NoWildcard);
+    EXPECT_TRUE(source.matches(KURL(base, "http://foo.bar")));
+    EXPECT_FALSE(source.matches(KURL(base, "http://sub.foo.bar")));
+    EXPECT_FALSE(source.matches(KURL(base, "http://bar")));
+    EXPECT_FALSE(source.matches(KURL(base, "http://.foo.bar")));

[arthursonzogni, 2017/02/14 14:16:30]

Same here.

[Mike West, 2017/02/15 06:43:49]

Ditto.

[arthursonzogni, 2017/02/15 12:47:59]

Done.

+  }
+}
+
 TEST_F(CSPSourceTest, DoesNotSubsume) {
   struct Source {
     const char* scheme;