Moved all tests about bypassing CSP into csp-tests (content layer)

content/common/content_security_policy/content_security_policy_unittest.cc

 // Copyright 2017 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/common/content_security_policy/csp_context.h"
 #include "content/common/content_security_policy_header.h"
 #include "content/common/navigation_params.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace content {
 
 namespace {
 class CSPContextTest : public CSPContext {
  public:
   const std::string& LastConsoleMessage() { return console_message_; }
 
+  void AddSchemeToBypassCSP(const std::string& scheme) {
+    scheme_to_bypass_.push_back(scheme);
+  }
+
+  bool SchemeShouldBypassCSP(const base::StringPiece& scheme) override {
+    return std::find(scheme_to_bypass_.begin(), scheme_to_bypass_.end(),
+                     scheme) != scheme_to_bypass_.end();
+  }
+
  private:
   void ReportContentSecurityPolicyViolation(
       const CSPViolationParams& violation_params) override {
     console_message_ = violation_params.console_message;
   }
   std::string console_message_;
+  std::vector<std::string> scheme_to_bypass_;
 };
 
 ContentSecurityPolicyHeader EmptyCspHeader() {
   return ContentSecurityPolicyHeader(std::string(),
                                      blink::WebContentSecurityPolicyTypeEnforce,
                                      blink::WebContentSecurityPolicySourceHTTP);
 }
 
 }  // namespace
 
@@ skipping 92 matching lines @@
                                               GURL("http://b.com"), false,
                                               &context, SourceLocation()));
     const char console_message[] =
         "Refused to frame 'http://b.com/' because it violates "
         "the following Content Security Policy directive: \"frame-src "
         "http://a.com\".\n";
     EXPECT_EQ(console_message, context.LastConsoleMessage());
   }
 }
 
+TEST(ContentSecurityPolicy, RequestsAllowedWhenBypassingCSP) {
+  CSPContextTest context;
+  std::vector<std::string> report_end_points;  // empty
+  CSPSource source("https", "example.com", false,
+                   url::PORT_UNSPECIFIED, false, "");
+  CSPSourceList source_list(false, false, {source});
+  ContentSecurityPolicy policy(
+      EmptyCspHeader(),
+      {CSPDirective(CSPDirective::DefaultSrc, source_list)},
+      report_end_points);
+
+  EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
+                                           GURL("https://example.com/"),
+                                           false, &context, SourceLocation()));
+  EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
+                                           GURL("https://not-example.com/"),
+                                           false, &context, SourceLocation()));
+
+
+  // Register 'https' as bypassing CSP, which should now bypass is entirely

[arthursonzogni, 2017/04/04 11:54:34]

Nit: missing dot at the end of the comment.
Same thing for the next two comments.

[andypaicu, 2017/04/04 15:10:07]

Done

+  context.AddSchemeToBypassCSP("https");
+
+  EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
+                                           GURL("https://example.com/"),
+                                           false, &context, SourceLocation()));
+  EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
+                                            GURL("https://not-example.com/"),
+                                            false, &context, SourceLocation()));
+}
+
+TEST(ContentSecurityPolicy, FilesystemAllowedWhenBypassingCSP) {
+  CSPContextTest context;
+  std::vector<std::string> report_end_points;  // empty
+  CSPSource source("https", "example.com", false,
+                   url::PORT_UNSPECIFIED, false, "");
+  CSPSourceList source_list(false, false, {source});
+  ContentSecurityPolicy policy(
+      EmptyCspHeader(),
+      {CSPDirective(CSPDirective::DefaultSrc, source_list)},
+      report_end_points);
+
+  EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
+                                           GURL("filesystem:https://example.com/file.txt/"),

[arthursonzogni, 2017/04/04 11:54:34]

This line exceeds 80 character.
Please run git cl format 

For the the URLs in this 3 tests, please declare it on its own line such that it
could be reused.

[arthursonzogni, 2017/04/04 11:54:34]

Why is there a slash at the end of the URL?
There is the same thing in a few other URLs in this CL.

[andypaicu, 2017/04/04 15:10:07]

Urgh... git cl format was failing locally but the presubmit checks where hiding
the error so I thought everything is ok.

The slash is there for copy paste reasons :D. Also the blob URLs don't make
sense with a "file.txt" at the end of the URL.

I'm not exactly sure what you mean by on it's own line. Do you mean have a
variable for the URLs something like GURL exampleURL("https://example.com") and
then use the variable below in the tests? If so I'm not exactly sure if that's a
better approach because it makes the URL less obvious at a glance when looking
at the tests. For me seeing the URL on every test makes it more readable than
having variables and having to look at the variable definition to see what the
actual URL is.

+                                           false, &context, SourceLocation()));
+  EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
+                                            GURL("filesystem:https://not-example.com/file.txt"),
+                                           false, &context, SourceLocation()));
+
+
+  // Register 'https' as bypassing CSP, which should now bypass is entirely
+  context.AddSchemeToBypassCSP("https");
+
+  EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
+                                            GURL("filesystem:https://example.com/file.txt/"),
+                                            false, &context, SourceLocation()));
+  EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
+                                            GURL("filesystem:https://not-example.com/file.txt"),
+                                            false, &context, SourceLocation()));
+}
+
+TEST(ContentSecurityPolicy, BlobAllowedWhenBypassingCSP) {
+  CSPContextTest context;
+  std::vector<std::string> report_end_points;  // empty
+  CSPSource source("https", "example.com", false,
+                   url::PORT_UNSPECIFIED, false, "");
+  CSPSourceList source_list(false, false, {source});
+  ContentSecurityPolicy policy(
+      EmptyCspHeader(),
+      {CSPDirective(CSPDirective::DefaultSrc, source_list)},
+      report_end_points);
+
+  EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
+                                           GURL("blob:https://example.com/file.txt/"),
+                                           false, &context, SourceLocation()));
+  EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
+                                            GURL("blob:https://not-example.com/file.txt"),
+                                           false, &context, SourceLocation()));
+
+
+  // Register 'https' as bypassing CSP, which should now bypass is entirely
+  context.AddSchemeToBypassCSP("https");
+
+  EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
+                                            GURL("blob:https://example.com/file.txt/"),
+                                            false, &context, SourceLocation()));
+  EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
+                                            GURL("blob:https://not-example.com/file.txt"),
+                                            false, &context, SourceLocation()));
+}
+
 }  // namespace content