[nosniff] Fix AllowedByNosniff for chrome:// URL schemes (& friends)

Bug: 890316 Change-Id: I529c99ee497b154ca42d3e3ab5bcf1ab52ab00f3 Reviewed-on: https://chromium-review.googlesource.com/c/1256947 Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#596660}

[nosniff] Fix AllowedByNosniff for chrome:// URL schemes (& friends)
Bug: 890316 Change-Id: I529c99ee497b154ca42d3e3ab5bcf1ab52ab00f3 Reviewed-on: https://chromium-review.googlesource.com/c/1256947 Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#596660}
7cb5629d · Daniel Vogelheim · Commit Bot · 1d921b74 · 7cb5629d · 7cb5629d
Commit 7cb5629d authored Oct 04, 2018 by Daniel Vogelheim Committed by Commit Bot Oct 04, 2018
2 changed files
--- a/third_party/blink/renderer/core/loader/allowed_by_nosniff.cc
+++ b/third_party/blink/renderer/core/loader/allowed_by_nosniff.cc
@@ -126,8 +126,11 @@ bool AllowMimeTypeAsScript(const String& mime_type,
 bool MimeTypeAsScriptImpl(ExecutionContext* execution_context,
                          const ResourceResponse& response,
                          bool is_worker_global_scope) {
-  // Is it a file:-URL? If so, decide based on file suffix.
-  if (response.Url().IsLocalFile() &&
+  // The content type is really only meaningful for the http:-family & data
+  // schemes.
+  bool is_http_family_or_data = response.Url().ProtocolIsInHTTPFamily() ||
+                                response.Url().ProtocolIsData();
+  if (!is_http_family_or_data &&
      response.Url().LastPathComponent().EndsWith(".js")) {
    return true;
  }

--- a/third_party/blink/renderer/core/loader/allowed_by_nosniff_test.cc
+++ b/third_party/blink/renderer/core/loader/allowed_by_nosniff_test.cc
@@ -189,4 +189,36 @@ TEST_F(AllowedByNosniffTest, Counters) {
  }
 }

+TEST_F(AllowedByNosniffTest, AllTheSchemes) {
+  // We test various URL schemes.
+  // To force a decision based on the scheme, we give all responses an
+  // invalid Content-Type plus a "nosniff" header. That way, all Content-Type
+  // based checks are always denied and we can test for whether this is decided
+  // based on the URL or not.
+  struct {
+    const char* url;
+    bool allowed;
+  } data[] = {
+      {"http://example.com/bla.js", false},
+      {"https://example.com/bla.js", false},
+      {"file://etc/passwd.js", true},
+      {"file://etc/passwd", false},
+      {"chrome://dino/dino.js", true},
+      {"chrome://dino/dino.css", false},
+      {"ftp://example.com/bla.js", true},
+      {"ftp://example.com/bla.txt", false},
+  };
+
+  for (auto& testcase : data) {
+    SetUp();
+    SCOPED_TRACE(testing::Message() << "\n  url: " << testcase.url
+                                    << "\n  allowed: " << testcase.allowed);
+    ResourceResponse response(KURL(testcase.url));
+    response.SetHTTPHeaderField("Content-Type", "invalid");
+    response.SetHTTPHeaderField("X-Content-Type-Options", "nosniff");
+    EXPECT_EQ(testcase.allowed,
+              AllowedByNosniff::MimeTypeAsScript(doc(), response));
+  }
+}
+
 }  // namespace blink