[Backport] CSP: Allow ':80' to match ':443' in source expressions.

https://github.com/w3c/webappsec-csp/commit/22d08b990290e49f5a666fad08de16d75bb369e7#diff-117d6498d2aa8019cc0abf5eeb87a9fa
updated CSP to allow insecure ports to match secure ports in source
expressions. This is a refinement of the change that landed in
https://codereview.chromium.org/1455973003 to address Sniffly.

BUG=625945
R=jochen@chromium.org

Review-Url: https://codereview.chromium.org/2125873003
(CVE-2016-5137)

Change-Id: Id413b3e7c76f0c0996ae8cef7929ce8ef18fa1af
Reviewed-by: Michael Brüning <michael.bruning@qt.io>

2 files changed, 29 insertions, 3 deletions

diff --git a/chromium/third_party/WebKit/Source/core/frame/csp/CSPSource.cpp b/chromium/third_party/WebKit/Source/core/frame/csp/CSPSource.cpp
index e2b6b18f654..5ddd449e9c6 100644
--- a/chromium/third_party/WebKit/Source/core/frame/csp/CSPSource.cpp
+++ b/chromium/third_party/WebKit/Source/core/frame/csp/CSPSource.cpp
@@ -92,6 +92,9 @@ bool CSPSource::portMatches(const KURL& url) const
     if (port == m_port)
         return true;
 
+    if (m_port == 80 && (port == 443 || (port == 0 && (url.protocol() == "https" || url.protocol() == "wss"))))
+        return true;
+
     if (!port)
         return isDefaultPortForProtocol(m_port, url.protocol());
 
diff --git a/chromium/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp b/chromium/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
index 97cfd8e6d37..7feda4eeae8 100644
--- a/chromium/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
+++ b/chromium/third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp
@@ -19,7 +19,6 @@ public:
         : csp(ContentSecurityPolicy::create())
     {
     }
-
 protected:
     RefPtr<ContentSecurityPolicy> csp;
 };
@@ -69,7 +68,7 @@ TEST_F(CSPSourceTest, RedirectMatching)
     EXPECT_FALSE(source.matches(KURL(base, "http://example.com:9000/foo/"), ContentSecurityPolicy::DidNotRedirect));
 }
 
-TEST_F(CSPSourceTest, InsecureSourceMatchesSecure)
+TEST_F(CSPSourceTest, InsecureSchemeMatchesSecureScheme)
 {
     KURL base;
     CSPSource source(csp.get(), "http", "", 0, "/", CSPSource::NoWildcard, CSPSource::HasWildcard);
@@ -81,7 +80,7 @@ TEST_F(CSPSourceTest, InsecureSourceMatchesSecure)
     EXPECT_FALSE(source.matches(KURL(base, "ftp://example.com:8000/")));
 }
 
-TEST_F(CSPSourceTest, InsecureHostMatchesSecure)
+TEST_F(CSPSourceTest, InsecureHostSchemeMatchesSecureScheme)
 {
     KURL base;
     CSPSource source(csp.get(), "http", "example.com", 0, "/", CSPSource::NoWildcard, CSPSource::HasWildcard);
@@ -92,4 +91,28 @@ TEST_F(CSPSourceTest, InsecureHostMatchesSecure)
     EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:8000/")));
 }
 
+TEST_F(CSPSourceTest, InsecureHostSchemePortMatchesSecurePort)
+{
+    KURL base;
+    CSPSource source(csp.get(), "http", "example.com", 80, "/", CSPSource::NoWildcard, CSPSource::NoWildcard);
+    EXPECT_TRUE(source.matches(KURL(base, "http://example.com/")));
+    EXPECT_TRUE(source.matches(KURL(base, "http://example.com:80/")));
+    EXPECT_TRUE(source.matches(KURL(base, "http://example.com:443/")));
+    EXPECT_TRUE(source.matches(KURL(base, "https://example.com/")));
+    EXPECT_TRUE(source.matches(KURL(base, "https://example.com:80/")));
+    EXPECT_TRUE(source.matches(KURL(base, "https://example.com:443/")));
+
+    EXPECT_FALSE(source.matches(KURL(base, "http://example.com:8443/")));
+    EXPECT_FALSE(source.matches(KURL(base, "https://example.com:8443/")));
+
+    EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com/")));
+    EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com:80/")));
+    EXPECT_FALSE(source.matches(KURL(base, "http://not-example.com:443/")));
+    EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com/")));
+    EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:80/")));
+    EXPECT_FALSE(source.matches(KURL(base, "https://not-example.com:443/")));
+}
+
+
+
 } // namespace