Split CSP into pre- and post-upgrade checks

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html

Index: third_party/WebKit/LayoutTests/external/wpt/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html
diff --git a/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html
new file mode 100644
index 0000000000000000000000000000000000000000..8abea804997ae9b1461984b4c3342c5d76f9b771
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/securitypolicyviolation/upgrade-insecure-requests-reporting.https.html
@@ -0,0 +1,35 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/upgrade-insecure-requests/support/testharness-helper.sub.js"></script>
+<body>
+<script>
+    function waitForViolation(el) {
+      return new Promise(resolve => {
+        el.addEventListener('securitypolicyviolation', e => resolve(e));
+      });
+    }
+
+    async_test(t => {
+      var url = generateURL(Host.SAME_ORIGIN, Protocol.INSECURE, ResourceType.IMAGE).url;
+      var i = document.createElement('img');
+      var loaded = false;

[estark, 2017/04/12 01:35:19]

surely there is some nicer way to write a test with two step_funcs where the
test is done when both steps have completed...?

[Mike West, 2017/04/12 13:31:36]

You'd think so. But you have to build it yourself. This, of course, is absurd.
:(

[estark, 2017/04/13 01:42:18]

Acknowledged.

+      var reported = false;
+      waitForViolation(window)
+        .then(t.step_func(e => {
+           assert_equals(e.blockedURI, url);
+           reported = true;
+           if (loaded)
+             t.done();
+      }));
+      i.onload = t.step_func(_ => {
+        assert_equals(i.naturalHeight, 64, "Height.");
+        assert_equals(i.naturalWidth, 168, "Width.");

[Mike West, 2017/04/12 13:31:36]

Best to drop these comparisons. Andy found that WPT sometimes fails to deliver
images, which makes for flaky tests. :( The `onload` check is probably enough.

[estark, 2017/04/13 01:42:17]

Done.

+        loaded = true;
+        if (reported)
+          t.done();
+      });
+      i.onerror = t.unreached_func(url + " should load successfully.");
+      i.src = url;
+    }, "Upgraded image is reported");

[Mike West, 2017/04/12 13:31:36]

Can you add an iframe check as well? Some of that code has moved up to
//content, so let's verify that we're checking it early enough in blink to catch
the upgrade.

[estark, 2017/04/13 01:42:18]

I have learned many exciting things:

- I added an iframe test, which revealed that this check needed to be duplicated
in a second place inside Blink, in FrameLoader.

- AFAICT the upgrade always happens in Blink, either in FrameLoader or
FrameFetchContext, but in PlzNavigate, the frame-src CSP gets checked in the
browser process, so this whole approach doesn't work for PlzNavigate. One could
imagine checking report-only headers in Blink, then doing the upgrade in Blink,
then checking enforced headers in //content... but that seems extremely weird to
me and I have no idea what it might break. (It already seems weird that the
upgrade is in Blink while the CSP checking is in //content in the browser
process.) So I left a TODO for the PlzNavigate case for now since I have no idea
what to do about it.

- I added a general (not uir related) wpt to test that both enforced and
report-only policies are checked on frames that redirect, however...

- I then tried writing a test for when a frame redirects from https to http but
things are broken x2. First, UIR doesn't work for redirects
(https://crbug.com/615885), so we can't really test the whole scenario (i.e.
that a frame that redirects from https to http is both reported and upgraded).
So then I thought maybe we should just test that a frame redirects from https to
http is reported, even if we can't test that it's upgraded, but that's broken
because it looks like mixed content blocking and CSP reporting don't play
nicely: https://crbug.com/711105. Soooo, long story short, I think we should
punt for now on testing that iframes that redirect to a mixed URL are reported,
but I did add a test that an img which redirects to http gets reported.

+</script>