Relax '*' in CSPSourceList to match the protected resource's protocol.

third_party/WebKit/Source/core/frame/csp/CSPSourceListTest.cpp

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "core/frame/csp/CSPSourceList.h"
 
 #include "core/dom/Document.h"
 #include "core/frame/csp/CSPSource.h"
 #include "core/frame/csp/ContentSecurityPolicy.h"
 #include "platform/network/ResourceRequest.h"
@@ skipping 75 matching lines @@
     EXPECT_TRUE(sourceList.matches(KURL(base, "http://foo.example.com/")));
     EXPECT_TRUE(sourceList.matches(KURL(base, "http://foo.example.com/bar")));
 
     EXPECT_FALSE(sourceList.matches(KURL(base, "data:https://example.test/")));
     EXPECT_FALSE(sourceList.matches(KURL(base, "blob:https://example.test/")));
     EXPECT_FALSE(sourceList.matches(KURL(base, "filesystem:https://example.test/")));
     EXPECT_FALSE(sourceList.matches(KURL(base, "file:///etc/hosts")));
     EXPECT_FALSE(sourceList.matches(KURL(base, "applewebdata://example.test/")));
 }
 
+TEST_F(CSPSourceListTest, StarMatchesSelf)
+{
+    KURL base;
+    String sources = "*";
+    CSPSourceList sourceList(csp.get(), "script-src");
+    parseSourceList(sourceList, sources);
+
+
+    // With a protocol of 'file', '*' matches 'file:':
+    RefPtr<SecurityOrigin> origin = SecurityOrigin::create("file", "", 0);
+    csp->setupSelf(*origin);
+    EXPECT_TRUE(sourceList.matches(KURL(base, "file:///etc/hosts")));
+
+    // The other results are the same as above:
+    EXPECT_TRUE(sourceList.matches(KURL(base, "http://example.com/")));
+    EXPECT_TRUE(sourceList.matches(KURL(base, "https://example.com/")));
+    EXPECT_TRUE(sourceList.matches(KURL(base, "http://example.com/bar")));
+    EXPECT_TRUE(sourceList.matches(KURL(base, "http://foo.example.com/")));
+    EXPECT_TRUE(sourceList.matches(KURL(base, "http://foo.example.com/bar")));
+
+    EXPECT_FALSE(sourceList.matches(KURL(base, "data:https://example.test/")));
+    EXPECT_FALSE(sourceList.matches(KURL(base, "blob:https://example.test/")));
+    EXPECT_FALSE(sourceList.matches(KURL(base, "filesystem:https://example.test/")));
+    EXPECT_FALSE(sourceList.matches(KURL(base, "applewebdata://example.test/")));
+}
+
 TEST_F(CSPSourceListTest, BasicMatchingSelf)
 {
     KURL base;
     String sources = "'self'";
     CSPSourceList sourceList(csp.get(), "script-src");
     parseSourceList(sourceList, sources);
 
     EXPECT_FALSE(sourceList.matches(KURL(base, "http://example.com/")));
     EXPECT_FALSE(sourceList.matches(KURL(base, "https://not-example.com/")));
     EXPECT_TRUE(sourceList.matches(KURL(base, "https://example.test/")));
@@ skipping 88 matching lines @@
     EXPECT_TRUE(sourceList.matches(KURL(base, "http://example1.com/bar/"), ResourceRequest::RedirectStatus::FollowedRedirect));
     EXPECT_TRUE(sourceList.matches(KURL(base, "http://example2.com/bar/"), ResourceRequest::RedirectStatus::FollowedRedirect));
     EXPECT_TRUE(sourceList.matches(KURL(base, "http://example2.com/foo/"), ResourceRequest::RedirectStatus::FollowedRedirect));
     EXPECT_TRUE(sourceList.matches(KURL(base, "https://example1.com/foo/"), ResourceRequest::RedirectStatus::FollowedRedirect));
     EXPECT_TRUE(sourceList.matches(KURL(base, "https://example1.com/bar/"), ResourceRequest::RedirectStatus::FollowedRedirect));
 
     EXPECT_FALSE(sourceList.matches(KURL(base, "http://example3.com/foo/"), ResourceRequest::RedirectStatus::FollowedRedirect));
 }
 
 } // namespace blink