Add tests for SecurityOrigin::IsSecure and network::Is*PotentiallyTrustworthy

This CL adds tests for the following functions:

SecurityOrigin::IsSecure
network::IsUrlPotentiallyTrustworthy
network::IsOriginPotentiallyTrustworthy

They cover various cases of [1] as well as existing support in Blink.
There is no behavior change, the expectations are just set to make the
tests pass with the current implementations. This will make easier to
compare and unify them.

[1] https://w3c.github.io/webappsec-secure-contexts/#is-url-trustworthy

Bug: 1153336
Change-Id: I40b6b8aaabd8ae7d0f97ceaa5ab4462eebfff585
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2593629Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Matt Falkenhagen <falken@chromium.org>
Commit-Queue: Frédéric Wang <fwang@igalia.com>
Cr-Commit-Position: refs/heads/master@{#837984}

services/network/public/cpp/is_potentially_trustworthy_unittest.cc

@@ -10,6 +10,7 @@
 #include "testing/gtest/include/gtest/gtest.h"
 #include "url/gurl.h"
 #include "url/origin.h"
+#include "url/url_util.h"
 
 namespace network {
 
@@ -49,6 +50,10 @@ TEST(IsPotentiallyTrustworthy, Origin) {
   EXPECT_FALSE(IsOriginPotentiallyTrustworthy("about:srcdoc"));
   EXPECT_FALSE(IsOriginPotentiallyTrustworthy("javascript:alert('blah')"));
   EXPECT_FALSE(IsOriginPotentiallyTrustworthy("data:test/plain;blah"));
+
+  EXPECT_FALSE(IsOriginPotentiallyTrustworthy("custom-scheme://example.com"));
+  EXPECT_TRUE(
+      IsOriginPotentiallyTrustworthy("quic-transport://example.com/counter"));
 }
 
 TEST(IsPotentiallyTrustworthy, Url) {
@@ -134,6 +139,31 @@ TEST(IsPotentiallyTrustworthy, Url) {
       IsUrlPotentiallyTrustworthy("blob:ftp://127.0.0.1/guid-goes-here"));
   EXPECT_TRUE(IsUrlPotentiallyTrustworthy(
       "blob:https://www.example.com/guid-goes-here"));
+
+  EXPECT_FALSE(IsUrlPotentiallyTrustworthy("blob:data:text/html,Hello"));
+  EXPECT_FALSE(IsUrlPotentiallyTrustworthy("blob:about:blank"));
+  EXPECT_FALSE(IsUrlPotentiallyTrustworthy("filesystem:data:text/html,Hello"));
+  EXPECT_FALSE(IsUrlPotentiallyTrustworthy("filesystem:about:blank"));
+  EXPECT_FALSE(IsUrlPotentiallyTrustworthy(
+      "blob:blob:https://example.com/578223a1-8c13-17b3-84d5-eca045ae384a"));
+  EXPECT_FALSE(
+      IsUrlPotentiallyTrustworthy("filesystem:blob:https://example.com/"
+                                  "578223a1-8c13-17b3-84d5-eca045ae384a"));
+
+  EXPECT_TRUE(
+      IsUrlPotentiallyTrustworthy("quic-transport://example.com/counter"));
+  EXPECT_FALSE(IsUrlPotentiallyTrustworthy("custom-scheme://example.com"));
+}
+
+TEST(IsPotentiallyTrustworthy, CustomScheme) {
+  url::ScopedSchemeRegistryForTests scoped_registry;
+  url::AddSecureScheme("custom-scheme");
+
+  // TODO(crbug.com/1159371): These tests should return true.
+  EXPECT_FALSE(IsOriginPotentiallyTrustworthy(
+      "custom-scheme://578223a1-8c13-17b3-84d5-eca045ae384a/fun.js"));
+  EXPECT_FALSE(IsUrlPotentiallyTrustworthy(
+      "custom-scheme://578223a1-8c13-17b3-84d5-eca045ae384a/fun.js"));
 }
 
 // Tests that were for the removed blink::network_utils::IsOriginSecure.

third_party/blink/renderer/platform/weborigin/security_origin_test.cc

@@ -210,6 +210,9 @@ TEST_F(SecurityOriginTest, IsSecure) {
     bool is_secure;
     const char* url;
   } inputs[] = {
+      // TODO(crbug.com/1153336): Should SecurityOrigin::IsSecure be aligned
+      // with network::IsURLPotentiallyTrustworthy?
+      // https://w3c.github.io/webappsec-secure-contexts/#is-url-trustworthy
       {false, "blob:ftp://evil:99/578223a1-8c13-17b3-84d5-eca045ae384a"},
       {false, "blob:http://example.com/578223a1-8c13-17b3-84d5-eca045ae384a"},
       {false, "file:///etc/passwd"},
@@ -219,8 +222,25 @@ TEST_F(SecurityOriginTest, IsSecure) {
       {true, "blob:https://example.com/578223a1-8c13-17b3-84d5-eca045ae384a"},
       {true, "https://example.com/"},
       {true, "wss://example.com/"},
-
       {true, "about:blank"},
+      {true, "about:srcdoc"},
+      {true, "about:about"},
+      {true, "data:text/html,Hello"},
+      {false,
+       "filesystem:http://example.com/578223a1-8c13-17b3-84d5-eca045ae384a"},
+      {true,
+       "filesystem:https://example.com/578223a1-8c13-17b3-84d5-eca045ae384a"},
+      {true, "blob:data:text/html,Hello"},
+      {true, "blob:about:blank"},
+      {false, "filesystem:data:text/html,Hello"},
+      {false, "filesystem:about:blank"},
+      {false,
+       "blob:blob:https://example.com/578223a1-8c13-17b3-84d5-eca045ae384a"},
+      {false,
+       "filesystem:blob:https://example.com/"
+       "578223a1-8c13-17b3-84d5-eca045ae384a"},
+      {false, "custom-scheme://example.com"},
+      {true, "quic-transport://example.com/counter"},
       {false, ""},
       {false, "\0"},
   };
@@ -232,10 +252,19 @@ TEST_F(SecurityOriginTest, IsSecure) {
   EXPECT_FALSE(SecurityOrigin::IsSecure(NullURL()));
 }
 
+TEST_F(SecurityOriginTest, IsCustomSchemeSecure) {
+  url::ScopedSchemeRegistryForTests scoped_registry;
+  url::AddSecureScheme("custom-scheme");
+  EXPECT_TRUE(SecurityOrigin::IsSecure(KURL("custom-scheme://example.com")));
+}
+
 TEST_F(SecurityOriginTest, IsSecureViaTrustworthy) {
+  // TODO(crbug.com/1153336): Should SecurityOrigin::IsSecure be aligned with
+  // network::IsURLPotentiallyTrustworthy?
+  // https://w3c.github.io/webappsec-secure-contexts/#is-url-trustworthy
   const char* urls[] = {"http://localhost/", "http://localhost:8080/",
                         "http://127.0.0.1/", "http://127.0.0.1:8080/",
-                        "http://[::1]/"};
+                        "http://[::1]/",     "http://vhost.localhost/"};
 
   for (const char* test : urls) {
     KURL url(test);