Chromium Code Reviews Chromium Code Reviews
Issue 1270663002:
Validate the Origin HTTP header in the browser process. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: content/browser/security_exploit_browsertest.cc |
| diff --git a/content/browser/security_exploit_browsertest.cc b/content/browser/security_exploit_browsertest.cc |
| index 086d801fe4dce063bd25d0347a4180c1eaec51a7..51226052cf91b8b78011ed39c482b6dfca0e0414 100644 |
| --- a/content/browser/security_exploit_browsertest.cc |
| +++ b/content/browser/security_exploit_browsertest.cc |
| @@ -8,15 +8,19 @@ |
| #include "content/browser/dom_storage/dom_storage_context_wrapper.h" |
| #include "content/browser/dom_storage/session_storage_namespace_impl.h" |
| #include "content/browser/frame_host/navigator.h" |
| +#include "content/browser/frame_host/render_frame_host_impl.h" |
| #include "content/browser/renderer_host/render_view_host_factory.h" |
| #include "content/browser/renderer_host/render_view_host_impl.h" |
| #include "content/browser/web_contents/web_contents_impl.h" |
| #include "content/common/frame_messages.h" |
| +#include "content/common/resource_messages.h" |
| #include "content/common/view_messages.h" |
| #include "content/public/browser/browser_context.h" |
| +#include "content/public/browser/content_browser_client.h" |
| #include "content/public/browser/interstitial_page.h" |
| #include "content/public/browser/interstitial_page_delegate.h" |
| #include "content/public/browser/storage_partition.h" |
| +#include "content/public/common/appcache_info.h" |
| #include "content/public/common/content_switches.h" |
| #include "content/public/common/file_chooser_params.h" |
| #include "content/public/test/browser_test_utils.h" |
| @@ -24,6 +28,7 @@ |
| #include "content/public/test/content_browser_test_utils.h" |
| #include "content/public/test/test_utils.h" |
| #include "content/shell/browser/shell.h" |
| +#include "content/test/test_content_browser_client.h" |
| #include "ipc/ipc_security_test_util.h" |
| #include "net/dns/mock_host_resolver.h" |
| #include "net/test/embedded_test_server/embedded_test_server.h" |
| @@ -91,6 +96,28 @@ RenderViewHostImpl* PrepareToDuplicateHosts(Shell* shell, |
| return next_rfh->render_view_host(); |
| } |
| +ResourceHostMsg_Request CreateXHRRequestWithOrigin(const char* origin) { |
| + ResourceHostMsg_Request request; |
| + request.method = "GET"; |
| + request.url = GURL("http://bar.com/simple_page.html"); |
| + request.first_party_for_cookies = GURL(origin); |
| + request.referrer_policy = blink::WebReferrerPolicyDefault; |
| + request.headers = base::StringPrintf("Origin: %s\r\n", origin); |
| + request.load_flags = 0; |
| + request.origin_pid = 0; |
| + request.resource_type = RESOURCE_TYPE_XHR; |
| + request.request_context = 0; |
| + request.appcache_host_id = kAppCacheNoHostId; |
| + request.download_to_file = false; |
| + request.should_reset_appcache = false; |
| + request.is_main_frame = true; |
| + request.parent_is_main_frame = false; |
| + request.parent_render_frame_id = -1; |
|
nasko
2015/08/14 22:14:43
MSG_ROUTING_NONE?
Charlie Reis
2015/08/14 23:23:32
The docs say to use -1:
https://code.google.com/p/
nasko
2015/08/14 23:36:41
Acknowledged.
|
| + request.transition_type = ui::PAGE_TRANSITION_LINK; |
| + request.allow_download = true; |
| + return request; |
| +} |
| + |
| } // namespace |
| @@ -128,11 +155,11 @@ void SecurityExploitBrowserTest::TestFileChooserWithPath( |
| NavigateToURL(shell(), foo); |
| EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle()); |
| - content::RenderViewHost* compromised_renderer = |
| + RenderViewHost* compromised_renderer = |
| shell()->web_contents()->GetRenderViewHost(); |
| - content::RenderProcessHostWatcher terminated( |
| + RenderProcessHostWatcher terminated( |
| shell()->web_contents(), |
| - content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT); |
| + RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT); |
| FileChooserParams params; |
| params.default_file_name = path; |
| @@ -154,9 +181,9 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, SetWebUIProperty) { |
| EXPECT_EQ(0, |
| shell()->web_contents()->GetRenderViewHost()->GetEnabledBindings()); |
| - content::RenderProcessHostWatcher terminated( |
| + RenderProcessHostWatcher terminated( |
| shell()->web_contents(), |
| - content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT); |
| + RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT); |
| shell()->web_contents()->GetRenderViewHost()->SetWebUIProperty( |
| "toolkit", "views"); |
| terminated.Wait(); |
| @@ -281,7 +308,7 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, |
| new SecurityExploitTestInterstitialPage(shell()->web_contents()); |
| ASSERT_EQ("", interstitial->last_command()); |
| - content::WaitForInterstitialAttach(shell()->web_contents()); |
| + WaitForInterstitialAttach(shell()->web_contents()); |
| InterstitialPage* interstitial_page = |
| shell()->web_contents()->GetInterstitialPage(); |
| @@ -298,7 +325,7 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, |
| // Send an automation message from the underlying content and wait for it to |
| // be dispatched on this thread. This message should not be received by the |
| // interstitial. |
| - content::RenderFrameHost* compromised_renderer = |
| + RenderFrameHost* compromised_renderer = |
| shell()->web_contents()->GetMainFrame(); |
| FrameHostMsg_DomOperationResponse evil(compromised_renderer->GetRoutingID(), |
| "evil", MSG_ROUTING_NONE); |
| @@ -313,12 +340,95 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, |
| // Send a second message from the interstitial page, and make sure that the |
| // "evil" message doesn't arrive in the intervening period. |
| - ASSERT_TRUE(content::ExecuteScript( |
| - interstitial_page->GetMainFrame(), |
| - "window.domAutomationController.send(\"okay2\");")); |
| + ASSERT_TRUE(ExecuteScript(interstitial_page->GetMainFrame(), |
| + "window.domAutomationController.send(\"okay2\");")); |
| ASSERT_TRUE(message_queue.WaitForMessage(&message)); |
| ASSERT_EQ("\"okay2\"", message); |
| ASSERT_EQ("\"okay2\"", interstitial->last_command()); |
| } |
| +class IsolatedAppContentBrowserClient : public TestContentBrowserClient { |
| + public: |
| + bool IsIllegalOrigin(content::ResourceContext* resource_context, |
|
Charlie Reis
2015/08/14 20:25:59
I wanted to test this in chrome/ with an actual ap
|
| + int child_process_id, |
| + const GURL& origin) override { |
| + // Simulate a case where an app origin is not in an app process. |
| + return true; |
| + } |
| +}; |
| + |
| +// Renderer processes should not be able to spoof Origin HTTP headers. |
| +IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, InvalidOriginHeaders) { |
| + // Create a set of IPC messages with various Origin headers. |
| + ResourceHostMsg_Request chrome_origin_msg( |
| + CreateXHRRequestWithOrigin("chrome://settings")); |
| + ResourceHostMsg_Request embedder_isolated_origin_msg( |
| + CreateXHRRequestWithOrigin("https://isolated.bar.com")); |
| + ResourceHostMsg_Request invalid_origin_msg( |
| + CreateXHRRequestWithOrigin("invalidurl")); |
| + ResourceHostMsg_Request invalid_scheme_origin_msg( |
| + CreateXHRRequestWithOrigin("fake-scheme://foo")); |
| + |
|
nasko
2015/08/14 22:14:43
Shouldn't a test case exist for chrome-extension:/
Charlie Reis
2015/08/14 23:23:32
Sadly I can't, since chrome-extension:// doesn't e
nasko
2015/08/14 23:36:41
Might be useful to put that/similar comment in the
Charlie Reis
2015/08/17 18:32:21
Done.
|
| + GURL web_url("http://foo.com/simple_page.html"); |
| + NavigateToURL(shell(), web_url); |
| + RenderFrameHost* web_rfh = shell()->web_contents()->GetMainFrame(); |
| + |
| + // Web processes cannot make XHRs with chrome:// Origin headers. |
| + { |
| + RenderProcessHostWatcher web_process_killed( |
| + web_rfh->GetProcess(), |
| + RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT); |
| + IPC::IpcSecurityTestUtil::PwnMessageReceived( |
| + web_rfh->GetProcess()->GetChannel(), |
| + ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(), 1, |
| + chrome_origin_msg)); |
| + web_process_killed.Wait(); |
| + } |
| + |
| + // Web processes cannot make XHRs with URLs that the content embedder expects |
| + // to have process isolation. |
| + NavigateToURL(shell(), web_url); |
| + { |
| + // Set up a ContentBrowserClient that simulates an app URL in a non-app |
| + // process. |
| + IsolatedAppContentBrowserClient app_client; |
| + ContentBrowserClient* old_client = SetBrowserClientForTesting(&app_client); |
| + RenderProcessHostWatcher web_process_killed( |
| + web_rfh->GetProcess(), |
| + RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT); |
| + IPC::IpcSecurityTestUtil::PwnMessageReceived( |
| + web_rfh->GetProcess()->GetChannel(), |
| + ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(), 1, |
| + embedder_isolated_origin_msg)); |
| + web_process_killed.Wait(); |
| + SetBrowserClientForTesting(old_client); |
| + } |
| + |
| + // Web processes cannot make XHRs with invalid Origin headers. |
| + NavigateToURL(shell(), web_url); |
| + { |
| + RenderProcessHostWatcher web_process_killed( |
| + web_rfh->GetProcess(), |
| + RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT); |
| + IPC::IpcSecurityTestUtil::PwnMessageReceived( |
| + web_rfh->GetProcess()->GetChannel(), |
| + ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(), 1, |
| + invalid_origin_msg)); |
| + web_process_killed.Wait(); |
| + } |
| + |
| + // Web processes cannot make XHRs with invalid scheme Origin headers. |
| + NavigateToURL(shell(), web_url); |
| + { |
| + RenderProcessHostWatcher web_process_killed( |
| + web_rfh->GetProcess(), |
| + RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT); |
| + IPC::IpcSecurityTestUtil::PwnMessageReceived( |
| + web_rfh->GetProcess()->GetChannel(), |
| + ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(), 1, |
| + invalid_scheme_origin_msg)); |
| + web_process_killed.Wait(); |
| + } |
| +} |
| + |
| } // namespace content |
