| Index: third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
|
| diff --git a/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp b/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
|
| index 36590e967f0e74f4dc1ee7c7612860e6909f09eb..f6b2d7a716c0d76b5a9cdfb5c314475e96d35b79 100644
|
| --- a/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
|
| +++ b/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
|
| @@ -105,10 +105,10 @@ TEST_F(CSPSourceTest, RedirectMatching) {
|
| EXPECT_TRUE(
|
| source.matches(KURL(base, "http://example.com:8000/foo"),
|
| ResourceRequest::RedirectStatus::FollowedRedirect));
|
| - EXPECT_TRUE(
|
| + // Should not allow upgrade of port or scheme without upgrading both
|
| + EXPECT_FALSE(
|
| source.matches(KURL(base, "https://example.com:8000/foo"),
|
| ResourceRequest::RedirectStatus::FollowedRedirect));
|
| -
|
| EXPECT_FALSE(
|
| source.matches(KURL(base, "http://not-example.com:8000/foo"),
|
| ResourceRequest::RedirectStatus::FollowedRedirect));
|
| @@ -135,7 +135,7 @@ TEST_F(CSPSourceTest, InsecureHostSchemeMatchesSecureScheme) {
|
|
|
| EXPECT_TRUE(source.matches(KURL(base, "http://example.com:8000/")));
|
| EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com:8000/")));
|
| - EXPECT_TRUE(source.matches(KURL(base, "https://example.com:8000/")));
|
| + EXPECT_FALSE(source.matches(KURL(base, "https://example.com:8000/")));
|
| EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:8000/")));
|
| }
|
|
|
| @@ -205,13 +205,12 @@ TEST_F(CSPSourceTest, InsecureHostSchemePortMatchesSecurePort) {
|
| CSPSource::NoWildcard, CSPSource::NoWildcard);
|
| EXPECT_TRUE(source.matches(KURL(base, "http://example.com/")));
|
| EXPECT_TRUE(source.matches(KURL(base, "http://example.com:80/")));
|
| - // TODO(mkwst, arthursonzogni): It is weird to upgrade the port without the
|
| - // sheme. See http://crbug.com/692499
|
| - EXPECT_TRUE(source.matches(KURL(base, "http://example.com:443/")));
|
| +
|
| + // Should not allow scheme upgrades unless both port and scheme are upgraded
|
| + EXPECT_FALSE(source.matches(KURL(base, "http://example.com:443/")));
|
| EXPECT_TRUE(source.matches(KURL(base, "https://example.com/")));
|
| - // TODO(mkwst, arthursonzogni): It is weird to upgrade the scheme without
|
| - // the port. See http://crbug.com/692499
|
| - EXPECT_TRUE(source.matches(KURL(base, "https://example.com:80/")));
|
| + EXPECT_FALSE(source.matches(KURL(base, "https://example.com:80/")));
|
| +
|
| EXPECT_TRUE(source.matches(KURL(base, "https://example.com:443/")));
|
|
|
| EXPECT_FALSE(source.matches(KURL(base, "http://example.com:8443/")));
|
| @@ -233,9 +232,21 @@ TEST_F(CSPSourceTest, InsecureHostSchemePortMatchesSecurePort) {
|
| CSPSource::NoWildcard, CSPSource::NoWildcard);
|
| EXPECT_TRUE(source.matches(KURL(base, "http://example.com/")));
|
| EXPECT_TRUE(source.matches(KURL(base, "https://example.com:443")));
|
| - // TODO(mkwst, arthursonzogni): It is weird to upgrade the port without the
|
| - // sheme. See http://crbug.com/692499
|
| - EXPECT_TRUE(source.matches(KURL(base, "http://example.com:443")));
|
| + // Should not allow upgrade of port or scheme without upgrading both
|
| + EXPECT_FALSE(source.matches(KURL(base, "http://example.com:443")));
|
| + }
|
| +
|
| + // source port is empty
|
| + {
|
| + CSPSource source(csp.get(), "http", "example.com", 0, "/",
|
| + CSPSource::NoWildcard, CSPSource::NoWildcard);
|
| +
|
| + EXPECT_TRUE(source.matches(KURL(base, "http://example.com")));
|
| + EXPECT_TRUE(source.matches(KURL(base, "https://example.com")));
|
| + EXPECT_TRUE(source.matches(KURL(base, "https://example.com:443")));
|
| + // Should not allow upgrade of port or scheme without upgrading both
|
| + EXPECT_FALSE(source.matches(KURL(base, "https://example.com:80")));
|
| + EXPECT_FALSE(source.matches(KURL(base, "http://example.com:443")));
|
| }
|
| }
|
|
|
|
|
Chromium Code Reviews
Issue 2708873002:
Stop CSP from matching independent scheme/port upgrades (Closed)
