Moved all tests about bypassing CSP into csp-tests (content layer)

content/common/content_security_policy/content_security_policy_unittest.cc

Index: content/common/content_security_policy/content_security_policy_unittest.cc
diff --git a/content/common/content_security_policy/content_security_policy_unittest.cc b/content/common/content_security_policy/content_security_policy_unittest.cc
index 7a0a0b9a633043490ed00fc3391591a8459d92d6..9cd0fa2f240b912ed413d7751e1f1d934a0475a1 100644
--- a/content/common/content_security_policy/content_security_policy_unittest.cc
+++ b/content/common/content_security_policy/content_security_policy_unittest.cc
@@ -14,12 +14,22 @@ class CSPContextTest : public CSPContext {
  public:
   const std::string& LastConsoleMessage() { return console_message_; }
 
+  void AddSchemeToBypassCSP(const std::string& scheme) {
+    scheme_to_bypass_.push_back(scheme);
+  }
+
+  bool SchemeShouldBypassCSP(const base::StringPiece& scheme) override {
+    return std::find(scheme_to_bypass_.begin(), scheme_to_bypass_.end(),
+                     scheme) != scheme_to_bypass_.end();
+  }
+
  private:
   void ReportContentSecurityPolicyViolation(
       const CSPViolationParams& violation_params) override {
     console_message_ = violation_params.console_message;
   }
   std::string console_message_;
+  std::vector<std::string> scheme_to_bypass_;
 };
 
 ContentSecurityPolicyHeader EmptyCspHeader() {
@@ -132,4 +142,94 @@ TEST(ContentSecurityPolicy, DirectiveFallback) {
   }
 }
 
+TEST(ContentSecurityPolicy, RequestsAllowedWhenBypassingCSP) {
+  CSPContextTest context;
+  std::vector<std::string> report_end_points;  // empty
+  CSPSource source("https", "example.com", false,
+                   url::PORT_UNSPECIFIED, false, "");
+  CSPSourceList source_list(false, false, {source});
+  ContentSecurityPolicy policy(
+      EmptyCspHeader(),
+      {CSPDirective(CSPDirective::DefaultSrc, source_list)},
+      report_end_points);
+
+  EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
+                                           GURL("https://example.com/"),
+                                           false, &context, SourceLocation()));
+  EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
+                                           GURL("https://not-example.com/"),
+                                           false, &context, SourceLocation()));
+
+
+  // Register 'https' as bypassing CSP, which should now bypass is entirely

[arthursonzogni, 2017/04/04 11:54:34]

Nit: missing dot at the end of the comment.
Same thing for the next two comments.

[andypaicu, 2017/04/04 15:10:07]

Done

+  context.AddSchemeToBypassCSP("https");
+
+  EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
+                                           GURL("https://example.com/"),
+                                           false, &context, SourceLocation()));
+  EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
+                                            GURL("https://not-example.com/"),
+                                            false, &context, SourceLocation()));
+}
+
+TEST(ContentSecurityPolicy, FilesystemAllowedWhenBypassingCSP) {
+  CSPContextTest context;
+  std::vector<std::string> report_end_points;  // empty
+  CSPSource source("https", "example.com", false,
+                   url::PORT_UNSPECIFIED, false, "");
+  CSPSourceList source_list(false, false, {source});
+  ContentSecurityPolicy policy(
+      EmptyCspHeader(),
+      {CSPDirective(CSPDirective::DefaultSrc, source_list)},
+      report_end_points);
+
+  EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
+                                           GURL("filesystem:https://example.com/file.txt/"),

[arthursonzogni, 2017/04/04 11:54:34]

This line exceeds 80 character.
Please run git cl format 

For the the URLs in this 3 tests, please declare it on its own line such that it
could be reused.

[arthursonzogni, 2017/04/04 11:54:34]

Why is there a slash at the end of the URL?
There is the same thing in a few other URLs in this CL.

[andypaicu, 2017/04/04 15:10:07]

Urgh... git cl format was failing locally but the presubmit checks where hiding
the error so I thought everything is ok.

The slash is there for copy paste reasons :D. Also the blob URLs don't make
sense with a "file.txt" at the end of the URL.

I'm not exactly sure what you mean by on it's own line. Do you mean have a
variable for the URLs something like GURL exampleURL("https://example.com") and
then use the variable below in the tests? If so I'm not exactly sure if that's a
better approach because it makes the URL less obvious at a glance when looking
at the tests. For me seeing the URL on every test makes it more readable than
having variables and having to look at the variable definition to see what the
actual URL is.

+                                           false, &context, SourceLocation()));
+  EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
+                                            GURL("filesystem:https://not-example.com/file.txt"),
+                                           false, &context, SourceLocation()));
+
+
+  // Register 'https' as bypassing CSP, which should now bypass is entirely
+  context.AddSchemeToBypassCSP("https");
+
+  EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
+                                            GURL("filesystem:https://example.com/file.txt/"),
+                                            false, &context, SourceLocation()));
+  EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
+                                            GURL("filesystem:https://not-example.com/file.txt"),
+                                            false, &context, SourceLocation()));
+}
+
+TEST(ContentSecurityPolicy, BlobAllowedWhenBypassingCSP) {
+  CSPContextTest context;
+  std::vector<std::string> report_end_points;  // empty
+  CSPSource source("https", "example.com", false,
+                   url::PORT_UNSPECIFIED, false, "");
+  CSPSourceList source_list(false, false, {source});
+  ContentSecurityPolicy policy(
+      EmptyCspHeader(),
+      {CSPDirective(CSPDirective::DefaultSrc, source_list)},
+      report_end_points);
+
+  EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
+                                           GURL("blob:https://example.com/file.txt/"),
+                                           false, &context, SourceLocation()));
+  EXPECT_FALSE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
+                                            GURL("blob:https://not-example.com/file.txt"),
+                                           false, &context, SourceLocation()));
+
+
+  // Register 'https' as bypassing CSP, which should now bypass is entirely
+  context.AddSchemeToBypassCSP("https");
+
+  EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
+                                            GURL("blob:https://example.com/file.txt/"),
+                                            false, &context, SourceLocation()));
+  EXPECT_TRUE(ContentSecurityPolicy::Allow(policy, CSPDirective::FrameSrc,
+                                            GURL("blob:https://not-example.com/file.txt"),
+                                            false, &context, SourceLocation()));
+}
+
 }  // namespace content