Chromium Code Reviews Chromium Code Reviews
Issue 11416121:
Prevent cross-site pages when --site-per-process is passed (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "base/command_line.h" | |
| 6 #include "base/stringprintf.h" | |
| 7 #include "base/utf_string_conversions.h" | |
| 8 #include "content/browser/web_contents/web_contents_impl.h" | |
| 9 #include "content/public/browser/notification_types.h" | |
| 10 #include "content/public/browser/web_contents_observer.h" | |
| 11 #include "content/public/common/content_switches.h" | |
| 12 #include "content/public/test/browser_test_utils.h" | |
| 13 #include "content/public/test/test_utils.h" | |
| 14 #include "content/shell/shell.h" | |
| 15 #include "content/test/content_browser_test.h" | |
| 16 #include "content/test/content_browser_test_utils.h" | |
| 17 | |
| 18 namespace content { | |
| 19 | |
| 20 class SitePerProcessWebContentsObserver: public WebContentsObserver { | |
| 21 public: | |
| 22 explicit SitePerProcessWebContentsObserver(WebContents* web_contents) | |
| 23 : WebContentsObserver(web_contents), | |
| 24 navigation_succeeded_(true) {} | |
| 25 virtual ~SitePerProcessWebContentsObserver() {} | |
| 26 | |
| 27 virtual void DidFailProvisionalLoad( | |
| 28 int64 frame_id, | |
| 29 bool is_main_frame, | |
| 30 const GURL& validated_url, | |
| 31 int error_code, | |
| 32 const string16& error_description, | |
| 33 RenderViewHost* render_view_host) OVERRIDE { | |
| 34 navigation_url_ = validated_url; | |
| 35 navigation_succeeded_ = false; | |
| 36 } | |
| 37 | |
| 38 virtual void DidCommitProvisionalLoadForFrame( | |
| 39 int64 frame_id, | |
| 40 bool is_main_frame, | |
| 41 const GURL& url, | |
| 42 PageTransition transition_type, | |
| 43 RenderViewHost* render_view_host) OVERRIDE{ | |
| 44 navigation_url_ = url; | |
| 45 navigation_succeeded_ = true; | |
| 46 } | |
| 47 | |
| 48 GURL navigation_url() const { | |
|
nasko
2012/12/06 17:20:15
Why not return const GURL&? Do we need to make a c
irobert
2012/12/06 19:10:40
Done.
| |
| 49 return navigation_url_; | |
| 50 } | |
| 51 | |
| 52 int navigation_result() const { return navigation_succeeded_; } | |
|
Charlie Reis
2012/12/06 01:42:45
nit: navigation_succeeded()
irobert
2012/12/06 19:10:40
Done.
| |
| 53 | |
| 54 private: | |
| 55 GURL navigation_url_; | |
| 56 bool navigation_succeeded_; | |
| 57 | |
| 58 DISALLOW_COPY_AND_ASSIGN(SitePerProcessWebContentsObserver); | |
| 59 }; | |
| 60 | |
| 61 class SitePerProcessBrowserTest : public ContentBrowserTest { | |
| 62 public: | |
| 63 SitePerProcessBrowserTest() {} | |
| 64 | |
| 65 bool NavigateIframeToURL(Shell* window, | |
| 66 const GURL& url, | |
| 67 std::string iframe_id) { | |
| 68 std::string script = base::StringPrintf( | |
| 69 "var iframes = document.getElementById('%s');iframes.src='%s';", | |
| 70 iframe_id.c_str(), url.spec().c_str()); | |
| 71 WindowedNotificationObserver load_observer( | |
| 72 NOTIFICATION_LOAD_STOP, | |
| 73 Source<NavigationController>( | |
| 74 &shell()->web_contents()->GetController())); | |
| 75 bool result = content::ExecuteJavaScript( | |
| 76 window->web_contents()->GetRenderViewHost(), | |
| 77 L"", ASCIIToWide(script)); | |
| 78 load_observer.Wait(); | |
| 79 return result; | |
| 80 } | |
| 81 | |
| 82 void SetUpCommandLine(CommandLine* command_line) { | |
| 83 command_line->AppendSwitch(switches::kSitePerProcess); | |
| 84 } | |
| 85 }; | |
| 86 | |
| 87 IN_PROC_BROWSER_TEST_F(SitePerProcessBrowserTest, CrossSiteIframe) { | |
| 88 ASSERT_TRUE(test_server()->Start()); | |
| 89 net::TestServer https_server( | |
| 90 net::TestServer::TYPE_HTTPS, | |
| 91 net::TestServer::kLocalhost, | |
| 92 FilePath(FILE_PATH_LITERAL("content/test/data"))); | |
| 93 ASSERT_TRUE(https_server.Start()); | |
| 94 GURL main_url(test_server()->GetURL("files/site_per_process_main.html")); | |
| 95 | |
| 96 NavigateToURL(shell(), main_url); | |
| 97 | |
| 98 SitePerProcessWebContentsObserver observer(shell()->web_contents()); | |
| 99 { | |
| 100 // Load same-site page into Iframe. | |
| 101 GURL http_url(test_server()->GetURL("files/title1.html")); | |
| 102 EXPECT_TRUE(NavigateIframeToURL(shell(), http_url, "test")); | |
| 103 EXPECT_EQ(observer.navigation_url(), http_url); | |
| 104 EXPECT_TRUE(observer.navigation_result()); | |
| 105 } | |
| 106 | |
| 107 { | |
| 108 // Load cross-site page into Iframe. | |
| 109 GURL https_url(https_server.GetURL("files/title1.html")); | |
| 110 EXPECT_TRUE(NavigateIframeToURL(shell(), https_url, "test")); | |
| 111 EXPECT_EQ(observer.navigation_url(), https_url); | |
| 112 EXPECT_FALSE(observer.navigation_result()); | |
| 113 } | |
| 114 } | |
| 115 | |
| 116 IN_PROC_BROWSER_TEST_F(SitePerProcessBrowserTest, CrossSiteIframeRedirectOnce) { | |
| 117 ASSERT_TRUE(test_server()->Start()); | |
| 118 net::TestServer https_server( | |
| 119 net::TestServer::TYPE_HTTPS, | |
| 120 net::TestServer::kLocalhost, | |
| 121 FilePath(FILE_PATH_LITERAL("content/test/data"))); | |
| 122 ASSERT_TRUE(https_server.Start()); | |
| 123 | |
| 124 GURL main_url(test_server()->GetURL("files/site_per_process_main.html")); | |
| 125 GURL http_url(test_server()->GetURL("files/title1.html")); | |
| 126 GURL https_url(https_server.GetURL("files/title1.html")); | |
| 127 | |
| 128 NavigateToURL(shell(), main_url); | |
| 129 | |
| 130 SitePerProcessWebContentsObserver observer(shell()->web_contents()); | |
| 131 { | |
| 132 // Load cross-site client-redirect page into Iframe. | |
| 133 // Should be blocked. | |
| 134 GURL client_redirect_https_url(https_server.GetURL( | |
| 135 "client-redirect?files/title1.html")); | |
| 136 EXPECT_TRUE(NavigateIframeToURL(shell(), | |
|
nasko
2012/12/06 17:20:15
This function always takes "test" as the last para
irobert
2012/12/06 19:10:40
When I designed the NavigateIframeToURL API, I wan
| |
| 137 client_redirect_https_url, "test")); | |
| 138 // DidFailProvisionalLoad when navigating to client_redirect_https_url. | |
| 139 EXPECT_EQ(observer.navigation_url(), client_redirect_https_url); | |
| 140 EXPECT_FALSE(observer.navigation_result()); | |
| 141 } | |
| 142 | |
| 143 { | |
| 144 // Load cross-site server-redirect page into Iframe, | |
| 145 // which redirects to same-site page. | |
| 146 GURL server_redirect_http_url(https_server.GetURL( | |
| 147 "server-redirect?" + http_url.spec())); | |
| 148 EXPECT_TRUE(NavigateIframeToURL(shell(), | |
| 149 server_redirect_http_url, "test")); | |
| 150 EXPECT_EQ(observer.navigation_url(), http_url); | |
| 151 EXPECT_TRUE(observer.navigation_result()); | |
| 152 } | |
| 153 | |
| 154 { | |
| 155 // Load cross-site server-redirect page into Iframe, | |
| 156 // which redirects to cross-site page. | |
| 157 GURL server_redirect_http_url(https_server.GetURL( | |
| 158 "server-redirect?files/title1.html")); | |
| 159 EXPECT_TRUE(NavigateIframeToURL(shell(), | |
| 160 server_redirect_http_url, "test")); | |
| 161 // DidFailProvisionalLoad when navigating to https_url. | |
| 162 EXPECT_EQ(observer.navigation_url(), https_url); | |
| 163 EXPECT_FALSE(observer.navigation_result()); | |
| 164 } | |
| 165 | |
| 166 { | |
| 167 // Load same-site server-redirect page into Iframe. | |
|
nasko
2012/12/06 17:20:15
nit: , instead of . at the end of the line.
irobert
2012/12/06 19:10:40
Done.
| |
| 168 // which redirects to same-site page. | |
| 169 GURL server_redirect_http_url(test_server()->GetURL( | |
| 170 "server-redirect?files/title1.html")); | |
| 171 EXPECT_TRUE(NavigateIframeToURL(shell(), | |
| 172 server_redirect_http_url, "test")); | |
| 173 EXPECT_EQ(observer.navigation_url(), http_url); | |
| 174 EXPECT_TRUE(observer.navigation_result()); | |
| 175 } | |
| 176 | |
| 177 { | |
| 178 // Load same-site client-redirect page into Iframe, | |
| 179 // which redirects to same-site page. | |
| 180 GURL client_redirect_http_url(test_server()->GetURL( | |
| 181 "client-redirect?files/title1.html")); | |
| 182 EXPECT_TRUE(NavigateIframeToURL(shell(), | |
| 183 client_redirect_http_url, "test")); | |
| 184 EXPECT_EQ(observer.navigation_url(), client_redirect_http_url); | |
| 185 EXPECT_TRUE(observer.navigation_result()); | |
| 186 } | |
|
Charlie Reis
2012/12/06 01:42:45
Might as well toss in the other two cases:
same-si
irobert
2012/12/06 19:10:40
Done.
irobert
2012/12/06 19:10:40
Done.
| |
| 187 } | |
| 188 | |
| 189 IN_PROC_BROWSER_TEST_F(SitePerProcessBrowserTest, | |
| 190 CrossSiteIframeRedirectTwice) { | |
| 191 ASSERT_TRUE(test_server()->Start()); | |
| 192 net::TestServer https_server( | |
| 193 net::TestServer::TYPE_HTTPS, | |
| 194 net::TestServer::kLocalhost, | |
| 195 FilePath(FILE_PATH_LITERAL("content/test/data"))); | |
| 196 ASSERT_TRUE(https_server.Start()); | |
| 197 | |
| 198 GURL main_url(test_server()->GetURL("files/site_per_process_main.html")); | |
| 199 GURL http_url(test_server()->GetURL("files/title1.html")); | |
| 200 GURL https_url(https_server.GetURL("files/title1.html")); | |
| 201 | |
| 202 NavigateToURL(shell(), main_url); | |
| 203 | |
| 204 SitePerProcessWebContentsObserver observer(shell()->web_contents()); | |
| 205 { | |
| 206 // Load client-redirect page pointed to a cross-site client-redirect page, | |
|
nasko
2012/12/06 17:20:15
nit: s/pointed/pointing/?
irobert
2012/12/06 19:10:40
Done.
| |
| 207 // which eventually redirects back to same-site page. | |
| 208 GURL client_redirect_https_url(https_server.GetURL( | |
| 209 "client-redirect?" + http_url.spec())); | |
| 210 GURL client_redirect_http_url(test_server()->GetURL( | |
| 211 "client-redirect?" + client_redirect_https_url.spec())); | |
| 212 EXPECT_TRUE(NavigateIframeToURL(shell(), client_redirect_http_url, "test")); | |
| 213 | |
| 214 // We should check until second client redirect get cancelled. | |
|
Charlie Reis
2012/12/06 01:42:45
nit: s/check/wait/
irobert
2012/12/06 19:10:40
Done.
| |
| 215 WindowedNotificationObserver load_observer2( | |
| 216 NOTIFICATION_LOAD_STOP, | |
| 217 Source<NavigationController>( | |
| 218 &shell()->web_contents()->GetController())); | |
|
Charlie Reis
2012/12/06 01:42:45
The NavigateIFrameToURL line should be between the
irobert
2012/12/06 19:10:40
I think NavigateIFrameToURL line cannot be between
Charlie Reis
2012/12/06 20:20:22
Ah. This approach won't work either, though. It
irobert
2012/12/06 22:37:02
I wrote a new NotificationObeserver which wait unt
| |
| 219 load_observer2.Wait(); | |
| 220 | |
| 221 // DidFailProvisionalLoad when navigating to client_redirect_https_url. | |
| 222 EXPECT_EQ(observer.navigation_url(), client_redirect_https_url); | |
| 223 EXPECT_FALSE(observer.navigation_result()); | |
| 224 } | |
| 225 | |
| 226 { | |
| 227 // Load server-redirect page pointed to a cross-site server-redirect page, | |
| 228 // which eventually redirect back to same-site page. | |
| 229 GURL server_redirect_https_url(https_server.GetURL( | |
| 230 "server-redirect?" + http_url.spec())); | |
| 231 GURL server_redirect_http_url(test_server()->GetURL( | |
| 232 "server-redirect?" + server_redirect_https_url.spec())); | |
| 233 EXPECT_TRUE(NavigateIframeToURL(shell(), | |
| 234 server_redirect_http_url, "test")); | |
| 235 EXPECT_EQ(observer.navigation_url(), http_url); | |
| 236 EXPECT_TRUE(observer.navigation_result()); | |
| 237 } | |
| 238 | |
| 239 { | |
| 240 // Load server-redirect page pointed to a cross-site server-redirect page, | |
| 241 // which eventually redirects back to cross-site page. | |
| 242 GURL server_redirect_https_url(https_server.GetURL( | |
| 243 "server-redirect?" + https_url.spec())); | |
| 244 GURL server_redirect_http_url(test_server()->GetURL( | |
| 245 "server-redirect?" + server_redirect_https_url.spec())); | |
| 246 EXPECT_TRUE(NavigateIframeToURL(shell(), server_redirect_http_url, "test")); | |
| 247 // DidFailProvisionalLoad when navigating to https_url. | |
| 248 EXPECT_EQ(observer.navigation_url(), https_url); | |
| 249 EXPECT_FALSE(observer.navigation_result()); | |
| 250 } | |
| 251 | |
| 252 { | |
| 253 // Load server-redirect page pointed to a cross-site server-redirect page, | |
|
Charlie Reis
2012/12/06 01:42:45
It's pointed to a cross-site client-redirect page,
irobert
2012/12/06 19:10:40
Done.
| |
| 254 // which eventually redirects back to same-site page. | |
| 255 GURL client_redirect_http_url(https_server.GetURL( | |
| 256 "client-redirect?" + http_url.spec())); | |
| 257 GURL server_redirect_http_url(test_server()->GetURL( | |
| 258 "server-redirect?" + client_redirect_http_url.spec())); | |
| 259 EXPECT_TRUE(NavigateIframeToURL(shell(), server_redirect_http_url, "test")); | |
| 260 // DidFailProvisionalLoad when navigating to client_redirect_http_url. | |
| 261 EXPECT_EQ(observer.navigation_url(), client_redirect_http_url); | |
| 262 EXPECT_FALSE(observer.navigation_result()); | |
| 263 } | |
| 264 } | |
| 265 | |
| 266 } | |
| OLD | NEW |
