Prevent cross-site pages when --site-per-process is passed

content/browser/child_process_security_policy_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <set>
 #include <string>
 
 #include "base/basictypes.h"
 #include "base/file_path.h"
 #include "base/platform_file.h"
@@ skipping 112 matching lines @@
   EXPECT_FALSE(p->IsDisabledScheme("good-scheme"));
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, StandardSchemesTest) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
 
   // Safe
-  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("http://www.google.com/")));
-  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("https://www.paypal.com/")));
-  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("ftp://ftp.gnu.org/")));
-  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("data:text/html,<b>Hi</b>")));
+  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("http://www.google.com/"),
+                               ResourceType::MAIN_FRAME));
+  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("https://www.paypal.com/"),
+                               ResourceType::MAIN_FRAME));

[Charlie Reis, 2012/11/28 18:58:26]

Just to test both code paths, let's make this one SUB_FRAME.

+  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("ftp://ftp.gnu.org/"),
+                               ResourceType::MAIN_FRAME));
+  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("data:text/html,<b>Hi</b>"),
+                               ResourceType::MAIN_FRAME));
   EXPECT_TRUE(p->CanRequestURL(kRendererID,
-                               GURL("view-source:http://www.google.com/")));
+                               GURL("view-source:http://www.google.com/"),
+                               ResourceType::MAIN_FRAME));
   EXPECT_TRUE(p->CanRequestURL(
-      kRendererID, GURL("filesystem:http://localhost/temporary/a.gif")));
+      kRendererID, GURL("filesystem:http://localhost/temporary/a.gif"),
+      ResourceType::LAST_TYPE));

[irobert, 2012/11/28 01:27:57]

For these tests, resource type does not matter the result.

[Charlie Reis, 2012/11/28 18:58:26]

Sure, but might as well use something realistic.  IMAGE in this case.

 
   // Dangerous
   EXPECT_FALSE(p->CanRequestURL(kRendererID,
-                                GURL("file:///etc/passwd")));
+                                GURL("file:///etc/passwd"),
+                                ResourceType::LAST_TYPE));
   EXPECT_FALSE(p->CanRequestURL(kRendererID,
-                                GURL("chrome://foo/bar")));
+                                GURL("chrome://foo/bar"),
+                                ResourceType::LAST_TYPE));
 
   p->Remove(kRendererID);
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, AboutTest) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
 
-  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("about:blank")));
-  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("about:BlAnK")));
-  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("aBouT:BlAnK")));
-  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("aBouT:blank")));
+  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("about:blank"),
+                               ResourceType::MAIN_FRAME));
+  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("about:BlAnK"),
+                               ResourceType::MAIN_FRAME));
+  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("aBouT:BlAnK"),
+                               ResourceType::MAIN_FRAME));
+  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("aBouT:blank"),
+                               ResourceType::MAIN_FRAME));
 
-  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:memory")));
-  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:crash")));
-  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:cache")));
-  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:hang")));
+  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:memory"),
+                                ResourceType::MAIN_FRAME));
+  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:crash"),
+                                ResourceType::MAIN_FRAME));
+  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:cache"),
+                                ResourceType::MAIN_FRAME));
+  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:hang"),
+                                ResourceType::MAIN_FRAME));
 
-  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("aBoUt:memory")));
-  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:CrASh")));
-  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("abOuT:cAChe")));
+  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("aBoUt:memory"),
+                                ResourceType::MAIN_FRAME));
+  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:CrASh"),
+                                ResourceType::MAIN_FRAME));
+  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("abOuT:cAChe"),
+                                ResourceType::MAIN_FRAME));
 
   // Requests for about: pages should be denied.
   p->GrantRequestURL(kRendererID, GURL("about:crash"));
-  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:crash")));
+  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:crash"),
+                                ResourceType::MAIN_FRAME));
 
   // These requests for chrome:// pages should be granted.
   GURL chrome_url("chrome://foo");
   p->GrantRequestURL(kRendererID, chrome_url);
-  EXPECT_TRUE(p->CanRequestURL(kRendererID, chrome_url));
+  EXPECT_TRUE(p->CanRequestURL(kRendererID, chrome_url,
+                               ResourceType::MAIN_FRAME));
 
   p->Remove(kRendererID);
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, JavaScriptTest) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
 
-  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("javascript:alert('xss')")));
+  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("javascript:alert('xss')"),
+                                ResourceType::MAIN_FRAME));
   p->GrantRequestURL(kRendererID, GURL("javascript:alert('xss')"));
-  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("javascript:alert('xss')")));
+  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("javascript:alert('xss')"),
+                                ResourceType::MAIN_FRAME));
 
   p->Remove(kRendererID);
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, RegisterWebSafeSchemeTest) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
 
   // Currently, "asdf" is destined for ShellExecute, so it is allowed.
-  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("asdf:rockers")));
+  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("asdf:rockers"),
+                               ResourceType::MAIN_FRAME));
 
   // Once we register "asdf", we default to deny.
   RegisterTestScheme("asdf");
-  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("asdf:rockers")));
+  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("asdf:rockers"),
+                                ResourceType::MAIN_FRAME));
 
   // We can allow new schemes by adding them to the whitelist.
   p->RegisterWebSafeScheme("asdf");
-  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("asdf:rockers")));
+  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("asdf:rockers"),
+                               ResourceType::MAIN_FRAME));
 
   // Cleanup.
   p->Remove(kRendererID);
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, CanServiceCommandsTest) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
 
-  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
+  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd"),
+                                ResourceType::LAST_TYPE));

[Charlie Reis, 2012/11/28 18:58:26]

Let's make these all MAIN_FRAME, since the intent is to test them as a real
page.

   p->GrantRequestURL(kRendererID, GURL("file:///etc/passwd"));
-  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
+  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd"),
+                               ResourceType::LAST_TYPE));
 
-  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("evil-scheme:/path")));
+  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("evil-scheme:/path"),
+                               ResourceType::LAST_TYPE));
   std::set<std::string> disabled_set;
   disabled_set.insert("evil-scheme");
   p->RegisterDisabledSchemes(disabled_set);
-  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("http://www.google.com")));
-  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("evil-scheme:/path")));
+  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("http://www.google.com"),
+                               ResourceType::LAST_TYPE));
+  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("evil-scheme:/path"),
+                                ResourceType::LAST_TYPE));
   disabled_set.clear();
   p->RegisterDisabledSchemes(disabled_set);
-  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("http://www.google.com")));
-  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("evil-scheme:/path")));
+  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("http://www.google.com"),
+                               ResourceType::MAIN_FRAME));
+  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("evil-scheme:/path"),
+                               ResourceType::LAST_TYPE));
 
   // We should forget our state if we repeat a renderer id.
   p->Remove(kRendererID);
   p->Add(kRendererID);
-  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
+  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd"),
+                                ResourceType::LAST_TYPE));
   p->Remove(kRendererID);
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, ViewSource) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
 
   // View source is determined by the embedded scheme.
   EXPECT_TRUE(p->CanRequestURL(kRendererID,
-                               GURL("view-source:http://www.google.com/")));
+                               GURL("view-source:http://www.google.com/"),
+                               ResourceType::MAIN_FRAME));
   EXPECT_FALSE(p->CanRequestURL(kRendererID,
-                                GURL("view-source:file:///etc/passwd")));
-  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
+                                GURL("view-source:file:///etc/passwd"),
+                                ResourceType::LAST_TYPE));

[Charlie Reis, 2012/11/28 18:58:26]

Same: these should all be MAIN_FRAME.

+  EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd"),
+                                ResourceType::LAST_TYPE));
   EXPECT_FALSE(p->CanRequestURL(
-      kRendererID, GURL("view-source:view-source:http://www.google.com/")));
+      kRendererID, GURL("view-source:view-source:http://www.google.com/"),
+      ResourceType::MAIN_FRAME));
 
   p->GrantRequestURL(kRendererID, GURL("view-source:file:///etc/passwd"));
   // View source needs to be able to request the embedded scheme.
   EXPECT_TRUE(p->CanRequestURL(kRendererID,
-                               GURL("view-source:file:///etc/passwd")));
-  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
+                               GURL("view-source:file:///etc/passwd"),
+                               ResourceType::MAIN_FRAME));
+  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd"),
+                               ResourceType::LAST_TYPE));
 
   p->Remove(kRendererID);
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, SpecificFile) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
 
   GURL icon_url("file:///tmp/foo.png");
   GURL sensitive_url("file:///etc/passwd");
-  EXPECT_FALSE(p->CanRequestURL(kRendererID, icon_url));
-  EXPECT_FALSE(p->CanRequestURL(kRendererID, sensitive_url));
+  EXPECT_FALSE(p->CanRequestURL(kRendererID, icon_url,
+                                ResourceType::IMAGE));

[Charlie Reis, 2012/11/28 18:58:26]

Even though this is an image, let's treat these all as MAIN_FRAME, since we're
not really testing the resource_type code paths here.

+  EXPECT_FALSE(p->CanRequestURL(kRendererID, sensitive_url,
+                                ResourceType::LAST_TYPE));
 
   p->GrantRequestSpecificFileURL(kRendererID, icon_url);
-  EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url));
-  EXPECT_FALSE(p->CanRequestURL(kRendererID, sensitive_url));
+  EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url,
+                               ResourceType::IMAGE));
+  EXPECT_FALSE(p->CanRequestURL(kRendererID, sensitive_url,
+                                ResourceType::LAST_TYPE));
 
   p->GrantRequestURL(kRendererID, icon_url);
-  EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url));
-  EXPECT_TRUE(p->CanRequestURL(kRendererID, sensitive_url));
+  EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url,
+                               ResourceType::IMAGE));
+  EXPECT_TRUE(p->CanRequestURL(kRendererID, sensitive_url,
+                               ResourceType::LAST_TYPE));
 
   p->Remove(kRendererID);
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, CanReadFiles) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
 
@@ skipping 193 matching lines @@
 
 TEST_F(ChildProcessSecurityPolicyTest, CanServiceWebUIBindings) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   GURL url("chrome://thumb/http://www.google.com/");
 
   p->Add(kRendererID);
 
   EXPECT_FALSE(p->HasWebUIBindings(kRendererID));
-  EXPECT_FALSE(p->CanRequestURL(kRendererID, url));
+  EXPECT_FALSE(p->CanRequestURL(kRendererID, url,
+                                ResourceType::MAIN_FRAME));
   p->GrantWebUIBindings(kRendererID);
   EXPECT_TRUE(p->HasWebUIBindings(kRendererID));
-  EXPECT_TRUE(p->CanRequestURL(kRendererID, url));
+  EXPECT_TRUE(p->CanRequestURL(kRendererID, url,
+                               ResourceType::MAIN_FRAME));
 
   p->Remove(kRendererID);
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, RemoveRace) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   GURL url("file:///etc/passwd");
   FilePath file(FILE_PATH_LITERAL("/etc/passwd"));
 
   p->Add(kRendererID);
 
   p->GrantRequestURL(kRendererID, url);
   p->GrantReadFile(kRendererID, file);
   p->GrantWebUIBindings(kRendererID);
 
-  EXPECT_TRUE(p->CanRequestURL(kRendererID, url));
+  EXPECT_TRUE(p->CanRequestURL(kRendererID, url,
+                               ResourceType::LAST_TYPE));

[Charlie Reis, 2012/11/28 18:58:26]

MAIN_FRAME

   EXPECT_TRUE(p->CanReadFile(kRendererID, file));
   EXPECT_TRUE(p->HasWebUIBindings(kRendererID));
 
   p->Remove(kRendererID);
 
   // Renderers are added and removed on the UI thread, but the policy can be
   // queried on the IO thread.  The ChildProcessSecurityPolicy needs to be
   // prepared to answer policy questions about renderers who no longer exist.
 
   // In this case, we default to secure behavior.
-  EXPECT_FALSE(p->CanRequestURL(kRendererID, url));
+  EXPECT_FALSE(p->CanRequestURL(kRendererID, url,
+                                ResourceType::MAIN_FRAME));
   EXPECT_FALSE(p->CanReadFile(kRendererID, file));
   EXPECT_FALSE(p->HasWebUIBindings(kRendererID));
 }
 
 }  // namespace content