CSP: Allow ':80' to match ':443' in source expressions.

https://github.com/w3c/webappsec-csp/commit/22d08b990290e49f5a666fad08de16d75bb369e7#diff-117d6498d2aa8019cc0abf5eeb87a9fa
updated CSP to allow insecure ports to match secure ports in source
expressions. This is a refinement of the change that landed in
https://codereview.chromium.org/1455973003 to address Sniffly.

BUG=625945
R=jochen@chromium.org

Review-Url: https://codereview.chromium.org/2125873003
Cr-Commit-Position: refs/heads/master@{#404127}
diff --git a/third_party/WebKit/Source/core/frame/csp/CSPSource.cpp b/third_party/WebKit/Source/core/frame/csp/CSPSource.cpp
index 34f11635..b4283a1 100644
--- a/third_party/WebKit/Source/core/frame/csp/CSPSource.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/CSPSource.cpp
@@ -91,6 +91,9 @@
     if (port == m_port)
         return true;
 
+    if (m_port == 80 && (port == 443 || (port == 0 && defaultPortForProtocol(url.protocol()) == 443)))
+        return true;
+
     if (!port)
         return isDefaultPortForProtocol(m_port, url.protocol());
 
diff --git a/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp b/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
index 016f20a..012ba8b 100644
--- a/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
@@ -71,7 +71,7 @@
     EXPECT_FALSE(source.matches(KURL(base, "http://example.com:9000/foo/"), ResourceRequest::RedirectStatus::NoRedirect));
 }
 
-TEST_F(CSPSourceTest, InsecureSourceMatchesSecure)
+TEST_F(CSPSourceTest, InsecureSchemeMatchesSecureScheme)
 {
     KURL base;
     CSPSource source(csp.get(), "http", "", 0, "/", CSPSource::NoWildcard, CSPSource::HasWildcard);
@@ -83,7 +83,7 @@
     EXPECT_FALSE(source.matches(KURL(base, "ftp://example.com:8000/")));
 }
 
-TEST_F(CSPSourceTest, InsecureHostMatchesSecure)
+TEST_F(CSPSourceTest, InsecureHostSchemeMatchesSecureScheme)
 {
     KURL base;
     CSPSource source(csp.get(), "http", "example.com", 0, "/", CSPSource::NoWildcard, CSPSource::HasWildcard);
@@ -94,4 +94,28 @@
     EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:8000/")));
 }
 
+TEST_F(CSPSourceTest, InsecureHostSchemePortMatchesSecurePort)
+{
+    KURL base;
+    CSPSource source(csp.get(), "http", "example.com", 80, "/", CSPSource::NoWildcard, CSPSource::NoWildcard);
+    EXPECT_TRUE(source.matches(KURL(base, "http://example.com/")));
+    EXPECT_TRUE(source.matches(KURL(base, "http://example.com:80/")));
+    EXPECT_TRUE(source.matches(KURL(base, "http://example.com:443/")));
+    EXPECT_TRUE(source.matches(KURL(base, "https://example.com/")));
+    EXPECT_TRUE(source.matches(KURL(base, "https://example.com:80/")));
+    EXPECT_TRUE(source.matches(KURL(base, "https://example.com:443/")));
+
+    EXPECT_FALSE(source.matches(KURL(base, "http://example.com:8443/")));
+    EXPECT_FALSE(source.matches(KURL(base, "https://example.com:8443/")));
+
+    EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com/")));
+    EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com:80/")));
+    EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com:443/")));
+    EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com/")));
+    EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:80/")));
+    EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:443/")));
+}
+
+
+
 } // namespace blink