From c9db6bdb4c07edca958af4765e1d2e5f1fd6bbd3 Mon Sep 17 00:00:00 2001 From: Mario Sanchez Prada Date: Wed, 20 Jan 2021 13:33:17 +0100 Subject: [PATCH] Adapt test expectations to only consider about:{blank,srcdoc} secure MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Any other about: URL is now considered unsecure according to the spec linked from the upstream commit's description (see [1]) Chromium change: https://source.chromium.org/chromium/chromium/src/+/58fcd77538b8bc6989b2e3290b789f864ddf4dd9 commit 58fcd77538b8bc6989b2e3290b789f864ddf4dd9 Author: Frédéric Wang Date: Thu Dec 3 00:47:31 2020 +0000 Limit about: URLs that are treated as potentially trustworthy Per [1], only about:blank and about:srcdoc URLs should be treated as potentially trustworthy, but Chromium currently accepts all about: URLs. This CL aligns with the current spec, with the additional assumption that query and fragment components are accepted too [2]. This change is not web-visible. [1] https://w3c.github.io/webappsec-secure-contexts/#potentially-trustworthy-url [2] https://github.com/w3c/webappsec-secure-contexts/issues/81 Bug: 1153335, 1153336 --- browser/download/brave_download_item_model_unittest.cc | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/browser/download/brave_download_item_model_unittest.cc b/browser/download/brave_download_item_model_unittest.cc index 086fa123e200..b532461b95e8 100644 --- a/browser/download/brave_download_item_model_unittest.cc +++ b/browser/download/brave_download_item_model_unittest.cc @@ -96,8 +96,12 @@ TEST_F(BraveDownloadItemModelTest, GetOriginUrlText) { {"https://example.com:5678/foo.bar", "https://example.com:5678", true}, // File, secure. {"file:///c:/foo/bar/foo.bar", "file:///", true}, - // about:, secure. - {"about:about", "about:about", true}, + // about:blank, secure. + {"about:blank", "about:blank", true}, + // about:srcdoc, secure. + {"about:srcdoc", "about:srcdoc", true}, + // Other about: URLs, not secure. + {"about:about", "about:about", false}, // invalid, not secure. {"foo.bar.baz", "", false}, // empty, not secure.