Disallow an empty host in a CSP host-source directive

Disallow an empty host in a CSP host-source directive

Currently "https://" is accepted and treated like "https:". This behavior has never been part of any standard.

The syntax is specified in http://www.w3.org/TR/CSP11/#source-list-syntax

host-source       = [ scheme-part "://" ] host-part [ port-part ] [ path-part ]
host-part         = "*" / [ "*." ] 1*host-char *( "." 1*host-char )

As you can see, the host-part is NOT optional.

BUG=404295
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=180407

[robwu, 2014-08-16 11:40:14]

PTAL.

I've also updated the description of source-list-parsing-03.html because it
seemed to be an incorrect copy-paste from another test (the directives in test
03 are syntactically valid)

[Mike West, 2014-08-16 12:51:58]

On 2014/08/16 11:40:14, robwu wrote:
> PTAL.
> 
> I've also updated the description of source-list-parsing-03.html because it
> seemed to be an incorrect copy-paste from another test (the directives in test
> 03 are syntactically valid)

lgtm. Thanks for cleaning this up. It's probably worth adding an error message
for this case, as CSPs syntax here is potentially confusing. It might not be
initially clear that we require ':', but forbid '://'. If you'd like to tackle
that in a subsequent CL, I'd happily review it. :)

[robwu, 2014-08-16 13:57:45]

On 2014/08/16 12:51:58, Mike West (OOO until 19th) wrote:
> On 2014/08/16 11:40:14, robwu wrote:
> > PTAL.
> > 
> > I've also updated the description of source-list-parsing-03.html because it
> > seemed to be an incorrect copy-paste from another test (the directives in
test
> > 03 are syntactically valid)
> 
> lgtm. Thanks for cleaning this up. It's probably worth adding an error message
> for this case, as CSPs syntax here is potentially confusing. It might not be
> initially clear that we require ':', but forbid '://'. If you'd like to tackle
> that in a subsequent CL, I'd happily review it. :)

I don't think that is is a common error to use "http://" instead of http: or
"http://*". Especially because using host wildcards kind of defeats the purpose
of the CSP. In any case, the bad directive is printed in the console, so the web
developer can then look in the documentation (MDN, WPD,
content-security-policy.com, W3C) to find the correct syntax.

[robwu, 2014-08-16 13:57:56]

The CQ bit was checked by rob@robwu.nl

[commit-bot: I haz the power, 2014-08-16 13:58:06]

CQ is trying da patch. Follow status at
 https://chromium-status.appspot.com/cq/rob@robwu.nl/470723006/1

[commit-bot: I haz the power, 2014-08-16 14:36:11]

Committed patchset #1 (1) as 180407