Appcache Manifest Parsing Rule. If the manifest's <scheme> is secure, and the resulting absolute URL does not have the same origin as the manifest's URL, then don't process that url.

BUG=31935
TEST=ManifestParserTest.DifferentOriginUrlWithSecureScheme
Review URL: http://codereview.chromium.org/1521006

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@43148 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 27 insertions, 0 deletions

diff --git a/webkit/appcache/manifest_parser_unittest.cc b/webkit/appcache/manifest_parser_unittest.cc
index 2820884..dccf84e 100644
--- a/webkit/appcache/manifest_parser_unittest.cc
+++ b/webkit/appcache/manifest_parser_unittest.cc
@@ -313,5 +313,32 @@ TEST(ManifestParserTest, IgnoreAfterSpace) {
   EXPECT_TRUE(urls.find("http://smorg.borg/resource.txt") != urls.end());
 }
 
+TEST(ManifestParserTest, DifferentOriginUrlWithSecureScheme) {
+  Manifest manifest;
+  const GURL kUrl("https://www.foo.com");
+  const std::string kData("CACHE MANIFEST\r"
+    "CACHE: \r"
+    "relative/secureschemesameorigin\r"
+    "https://www.foo.com/secureschemesameorigin\r"
+    "http://www.xyz.com/secureschemedifforigin\r"
+    "https://www.xyz.com/secureschemedifforigin\r");
+
+  EXPECT_TRUE(ParseManifest(kUrl, kData.c_str(), kData.length(), manifest));
+  EXPECT_TRUE(manifest.fallback_namespaces.empty());
+  EXPECT_TRUE(manifest.online_whitelist_namespaces.empty());
+
+  base::hash_set<std::string> urls = manifest.explicit_urls;
+  const size_t kExpected = 2;
+  ASSERT_EQ(kExpected, urls.size());
+  EXPECT_TRUE(urls.find("https://www.foo.com/relative/secureschemesameorigin")
+      != urls.end());
+  EXPECT_TRUE(urls.find("https://www.foo.com/secureschemesameorigin") !=
+      urls.end());
+  EXPECT_FALSE(urls.find("http://www.xyz.com/secureschemedifforigin") !=
+      urls.end());
+  EXPECT_FALSE(urls.find("https://www.xyz.com/secureschemedifforigin") !=
+      urls.end());
+}
+
 }  // namespace appcache