Stop CSP from matching independent scheme/port upgrades

third_party/WebKit/Source/core/frame/csp/CSPSource.h

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CSPSource_h
 #define CSPSource_h
 
 #include "core/CoreExport.h"
 #include "core/frame/csp/ContentSecurityPolicy.h"
 #include "platform/heap/Handle.h"
 #include "platform/network/ResourceRequest.h"
 #include "public/platform/WebContentSecurityPolicyStruct.h"
 #include "wtf/Allocator.h"
 #include "wtf/text/WTFString.h"
 
 namespace blink {
 
 class ContentSecurityPolicy;
 class KURL;
 
 class CORE_EXPORT CSPSource : public GarbageCollectedFinalized<CSPSource> {
  public:
   enum WildcardDisposition { NoWildcard, HasWildcard };
 
+  // NotMatching is the only negative member, the rest are different types of
+  // matches. NotMatching should always be 0 to let if statements work nicely

[Mike West, 2017/02/24 10:56:28]

Nit: Did you consider making this an `enum class` and doing explicit comparisons
to `WhateverNotMatching` instead? It looks like there's only one place it
matters, and being explicit might be better.

[andypaicu, 2017/03/13 10:07:20]

I have no strong feelings one way or the other
https://www.youtube.com/watch?v=ussCHoQttyQ

+  enum PortMatchingResult {
+    PortNotMatching = 0,
+    PortMatchingWildcard,
+    PortMatchingUpgrade,
+    PortMatchingExact
+  };

[Mike West, 2017/02/24 10:56:28]

Tiny nit: Newline after the enum.

[andypaicu, 2017/03/13 10:07:20]

Done.

+  enum SchemeMatchingResult {
+    SchemeNotMatching = 0,
+    SchemeMatchingUpgrade,
+    SchemeMatchingExact
+  };
+
   CSPSource(ContentSecurityPolicy*,
             const String& scheme,
             const String& host,
             int port,
             const String& path,
             WildcardDisposition hostWildcard,
             WildcardDisposition portWildcard);
   bool isSchemeOnly() const;
   const String& getScheme() { return m_scheme; };
   bool matches(const KURL&,
@@ skipping 21 matching lines @@
   FRIEND_TEST_ALL_PREFIXES(CSPSourceTest, Intersect);
   FRIEND_TEST_ALL_PREFIXES(CSPSourceTest, IntersectSchemesOnly);
   FRIEND_TEST_ALL_PREFIXES(SourceListDirectiveTest, GetIntersectCSPSources);
   FRIEND_TEST_ALL_PREFIXES(SourceListDirectiveTest,
                            GetIntersectCSPSourcesSchemes);
   FRIEND_TEST_ALL_PREFIXES(CSPDirectiveListTest, GetSourceVector);
   FRIEND_TEST_ALL_PREFIXES(CSPDirectiveListTest, OperativeDirectiveGivenType);
   FRIEND_TEST_ALL_PREFIXES(SourceListDirectiveTest, SubsumesWithSelf);
   FRIEND_TEST_ALL_PREFIXES(SourceListDirectiveTest, GetSources);
 
-  bool schemeMatches(const String&) const;
+  SchemeMatchingResult schemeMatches(const String&) const;
   bool hostMatches(const String&) const;
   bool pathMatches(const String&) const;
   // Protocol is necessary to determine default port if it is zero.
-  bool portMatches(int port, const String& protocol) const;
+  PortMatchingResult portMatches(int port, const String& protocol) const;
   bool isSimilar(CSPSource* other) const;
 
+  // Helper inline functions for Port and Scheme MatchingResult enums
+  bool inline requiresUpgrade(const PortMatchingResult result) const {
+    return result == PortMatchingUpgrade;
+  }
+  bool inline requiresUpgrade(const SchemeMatchingResult result) const {
+    return result == SchemeMatchingUpgrade;
+  }
+
+  bool inline canUpgrade(const PortMatchingResult result) const {
+    return result == PortMatchingUpgrade || result == PortMatchingWildcard;
+  }
+
+  bool inline canUpgrade(const SchemeMatchingResult result) const {
+    return result == SchemeMatchingUpgrade;
+  }
+
   Member<ContentSecurityPolicy> m_policy;
   String m_scheme;
   String m_host;
   int m_port;
   String m_path;
 
   WildcardDisposition m_hostWildcard;
   WildcardDisposition m_portWildcard;
 };
 
 }  // namespace blink
 
 #endif