Validate the Origin HTTP header in the browser process.

content/browser/child_process_security_policy_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <set>
 #include <string>
 
 #include "base/basictypes.h"
 #include "base/files/file_path.h"
 #include "content/browser/child_process_security_policy_impl.h"
@@ skipping 137 matching lines @@
 
   EXPECT_FALSE(p->IsPseudoScheme(kChromeUIScheme));
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, StandardSchemesTest) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
 
-  // Safe
+  // Safe to request or commit.
   EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("http://www.google.com/")));
   EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("https://www.paypal.com/")));
   EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("ftp://ftp.gnu.org/")));
   EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("data:text/html,<b>Hi</b>")));
+  EXPECT_TRUE(p->CanRequestURL(
+      kRendererID, GURL("filesystem:http://localhost/temporary/a.gif")));
+  EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("http://www.google.com/")));
+  EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("https://www.paypal.com/")));
+  EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("ftp://ftp.gnu.org/")));
+  EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("data:text/html,<b>Hi</b>")));
+  EXPECT_TRUE(p->CanCommitURL(
+      kRendererID, GURL("filesystem:http://localhost/temporary/a.gif")));
+
+  // Safe to request but not commit.
   EXPECT_TRUE(p->CanRequestURL(kRendererID,
                                GURL("view-source:http://www.google.com/")));
-  EXPECT_TRUE(p->CanRequestURL(
-      kRendererID, GURL("filesystem:http://localhost/temporary/a.gif")));
+  EXPECT_FALSE(p->CanCommitURL(kRendererID,
+                               GURL("view-source:http://www.google.com/")));
 
-  // Dangerous
+  // Dangerous to request or commit.
   EXPECT_FALSE(p->CanRequestURL(kRendererID,
                                 GURL("file:///etc/passwd")));
   EXPECT_FALSE(p->CanRequestURL(kRendererID,
                                 GURL("chrome://foo/bar")));
+  EXPECT_FALSE(p->CanCommitURL(kRendererID,
+                                GURL("file:///etc/passwd")));
+  EXPECT_FALSE(p->CanCommitURL(kRendererID,
+                                GURL("chrome://foo/bar")));
 
   p->Remove(kRendererID);
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, AboutTest) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
 
   EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("about:blank")));
   EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("about:BlAnK")));
   EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("aBouT:BlAnK")));
   EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("aBouT:blank")));
+  EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("about:blank")));
+  EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("about:BlAnK")));

[nasko, 2015/08/14 22:14:43]

Why not add a test case with capitalized letters in the "about" part?

[Charlie Reis, 2015/08/14 23:23:32]

Done.

 
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:memory")));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:crash")));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:cache")));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:hang")));
+  EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:memory")));
+  EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:crash")));
+  EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:cache")));
+  EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:hang")));
 
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("aBoUt:memory")));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:CrASh")));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("abOuT:cAChe")));
+  EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("aBoUt:memory")));
+  EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:CrASh")));
+  EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("abOuT:cAChe")));
 
   // Requests for about: pages should be denied.
   p->GrantRequestURL(kRendererID, GURL("about:crash"));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:crash")));
+  EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:crash")));
 
   // These requests for chrome:// pages should be granted.
   GURL chrome_url("chrome://foo");
   p->GrantRequestURL(kRendererID, chrome_url);
   EXPECT_TRUE(p->CanRequestURL(kRendererID, chrome_url));
+  EXPECT_TRUE(p->CanCommitURL(kRendererID, chrome_url));
 
   p->Remove(kRendererID);
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, JavaScriptTest) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
 
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("javascript:alert('xss')")));
+  EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("javascript:alert('xss')")));
   p->GrantRequestURL(kRendererID, GURL("javascript:alert('xss')"));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("javascript:alert('xss')")));
+  EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("javascript:alert('xss')")));
 
   p->Remove(kRendererID);
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, RegisterWebSafeSchemeTest) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
 
-  // Currently, "asdf" is destined for ShellExecute, so it is allowed.
+  // Currently, "asdf" is destined for ShellExecute, so it is allowed to be
+  // requested but not committed.
   EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("asdf:rockers")));
+  EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("asdf:rockers")));
 
   // Once we register "asdf", we default to deny.
   RegisterTestScheme("asdf");
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("asdf:rockers")));
+  EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("asdf:rockers")));
 
   // We can allow new schemes by adding them to the whitelist.
   p->RegisterWebSafeScheme("asdf");
   EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("asdf:rockers")));
+  EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("asdf:rockers")));
 
   // Cleanup.
   p->Remove(kRendererID);
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, CanServiceCommandsTest) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
 
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
+  EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd")));
   p->GrantRequestURL(kRendererID, GURL("file:///etc/passwd"));
   EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
+  EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd")));
 
   // We should forget our state if we repeat a renderer id.
   p->Remove(kRendererID);
   p->Add(kRendererID);
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
+  EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd")));
   p->Remove(kRendererID);
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, ViewSource) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
 
   // View source is determined by the embedded scheme.
   EXPECT_TRUE(p->CanRequestURL(kRendererID,
                                GURL("view-source:http://www.google.com/")));
   EXPECT_FALSE(p->CanRequestURL(kRendererID,
                                 GURL("view-source:file:///etc/passwd")));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
   EXPECT_FALSE(p->CanRequestURL(
       kRendererID, GURL("view-source:view-source:http://www.google.com/")));
 
+  // View source URLs don't actually commit; the renderer is put into view
+  // source mode, and the inner URL commits.
+  EXPECT_FALSE(p->CanCommitURL(kRendererID,
+                               GURL("view-source:http://www.google.com/")));
+  EXPECT_FALSE(p->CanCommitURL(kRendererID,
+                               GURL("view-source:file:///etc/passwd")));
+  EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd")));
+  EXPECT_FALSE(p->CanCommitURL(
+      kRendererID, GURL("view-source:view-source:http://www.google.com/")));
+
+
   p->GrantRequestURL(kRendererID, GURL("view-source:file:///etc/passwd"));
   // View source needs to be able to request the embedded scheme.
+  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
+  EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd")));
   EXPECT_TRUE(p->CanRequestURL(kRendererID,
                                GURL("view-source:file:///etc/passwd")));
-  EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
+  EXPECT_FALSE(p->CanCommitURL(kRendererID,
+                               GURL("view-source:file:///etc/passwd")));
 
   p->Remove(kRendererID);
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, SpecificFile) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
 
   GURL icon_url("file:///tmp/foo.png");
   GURL sensitive_url("file:///etc/passwd");
   EXPECT_FALSE(p->CanRequestURL(kRendererID, icon_url));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, sensitive_url));
+  EXPECT_FALSE(p->CanCommitURL(kRendererID, icon_url));
+  EXPECT_FALSE(p->CanCommitURL(kRendererID, sensitive_url));
 
   p->GrantRequestSpecificFileURL(kRendererID, icon_url);
   EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, sensitive_url));
+  EXPECT_TRUE(p->CanCommitURL(kRendererID, icon_url));
+  EXPECT_FALSE(p->CanCommitURL(kRendererID, sensitive_url));
 
   p->GrantRequestURL(kRendererID, icon_url);
   EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url));
   EXPECT_TRUE(p->CanRequestURL(kRendererID, sensitive_url));
+  EXPECT_TRUE(p->CanCommitURL(kRendererID, icon_url));
+  EXPECT_TRUE(p->CanCommitURL(kRendererID, sensitive_url));
 
   p->Remove(kRendererID);
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, FileSystemGrantsTest) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
   std::string read_id =
@@ skipping 323 matching lines @@
   // queried on the IO thread.  The ChildProcessSecurityPolicy needs to be
   // prepared to answer policy questions about renderers who no longer exist.
 
   // In this case, we default to secure behavior.
   EXPECT_FALSE(p->CanRequestURL(kRendererID, url));
   EXPECT_FALSE(p->CanReadFile(kRendererID, file));
   EXPECT_FALSE(p->HasWebUIBindings(kRendererID));
 }
 
 }  // namespace content