| Index: content/browser/security_exploit_browsertest.cc
|
| diff --git a/content/browser/security_exploit_browsertest.cc b/content/browser/security_exploit_browsertest.cc
|
| index 086d801fe4dce063bd25d0347a4180c1eaec51a7..5f51e86ef88506cc0d4d1522a63dc1993bfeb625 100644
|
| --- a/content/browser/security_exploit_browsertest.cc
|
| +++ b/content/browser/security_exploit_browsertest.cc
|
| @@ -8,15 +8,19 @@
|
| #include "content/browser/dom_storage/dom_storage_context_wrapper.h"
|
| #include "content/browser/dom_storage/session_storage_namespace_impl.h"
|
| #include "content/browser/frame_host/navigator.h"
|
| +#include "content/browser/frame_host/render_frame_host_impl.h"
|
| #include "content/browser/renderer_host/render_view_host_factory.h"
|
| #include "content/browser/renderer_host/render_view_host_impl.h"
|
| #include "content/browser/web_contents/web_contents_impl.h"
|
| #include "content/common/frame_messages.h"
|
| +#include "content/common/resource_messages.h"
|
| #include "content/common/view_messages.h"
|
| #include "content/public/browser/browser_context.h"
|
| +#include "content/public/browser/content_browser_client.h"
|
| #include "content/public/browser/interstitial_page.h"
|
| #include "content/public/browser/interstitial_page_delegate.h"
|
| #include "content/public/browser/storage_partition.h"
|
| +#include "content/public/common/appcache_info.h"
|
| #include "content/public/common/content_switches.h"
|
| #include "content/public/common/file_chooser_params.h"
|
| #include "content/public/test/browser_test_utils.h"
|
| @@ -24,6 +28,7 @@
|
| #include "content/public/test/content_browser_test_utils.h"
|
| #include "content/public/test/test_utils.h"
|
| #include "content/shell/browser/shell.h"
|
| +#include "content/test/test_content_browser_client.h"
|
| #include "ipc/ipc_security_test_util.h"
|
| #include "net/dns/mock_host_resolver.h"
|
| #include "net/test/embedded_test_server/embedded_test_server.h"
|
| @@ -91,6 +96,28 @@ RenderViewHostImpl* PrepareToDuplicateHosts(Shell* shell,
|
| return next_rfh->render_view_host();
|
| }
|
|
|
| +ResourceHostMsg_Request CreateXHRRequestWithOrigin(const char* origin) {
|
| + ResourceHostMsg_Request request;
|
| + request.method = "GET";
|
| + request.url = GURL("http://bar.com/simple_page.html");
|
| + request.first_party_for_cookies = GURL(origin);
|
| + request.referrer_policy = blink::WebReferrerPolicyDefault;
|
| + request.headers = base::StringPrintf("Origin: %s\r\n", origin);
|
| + request.load_flags = 0;
|
| + request.origin_pid = 0;
|
| + request.resource_type = RESOURCE_TYPE_XHR;
|
| + request.request_context = 0;
|
| + request.appcache_host_id = kAppCacheNoHostId;
|
| + request.download_to_file = false;
|
| + request.should_reset_appcache = false;
|
| + request.is_main_frame = true;
|
| + request.parent_is_main_frame = false;
|
| + request.parent_render_frame_id = -1;
|
| + request.transition_type = ui::PAGE_TRANSITION_LINK;
|
| + request.allow_download = true;
|
| + return request;
|
| +}
|
| +
|
| } // namespace
|
|
|
|
|
| @@ -128,11 +155,11 @@ void SecurityExploitBrowserTest::TestFileChooserWithPath(
|
| NavigateToURL(shell(), foo);
|
| EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
|
|
|
| - content::RenderViewHost* compromised_renderer =
|
| + RenderViewHost* compromised_renderer =
|
| shell()->web_contents()->GetRenderViewHost();
|
| - content::RenderProcessHostWatcher terminated(
|
| + RenderProcessHostWatcher terminated(
|
| shell()->web_contents(),
|
| - content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
|
| + RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
|
|
|
| FileChooserParams params;
|
| params.default_file_name = path;
|
| @@ -154,9 +181,9 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, SetWebUIProperty) {
|
| EXPECT_EQ(0,
|
| shell()->web_contents()->GetRenderViewHost()->GetEnabledBindings());
|
|
|
| - content::RenderProcessHostWatcher terminated(
|
| + RenderProcessHostWatcher terminated(
|
| shell()->web_contents(),
|
| - content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
|
| + RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
|
| shell()->web_contents()->GetRenderViewHost()->SetWebUIProperty(
|
| "toolkit", "views");
|
| terminated.Wait();
|
| @@ -281,7 +308,7 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
|
| new SecurityExploitTestInterstitialPage(shell()->web_contents());
|
|
|
| ASSERT_EQ("", interstitial->last_command());
|
| - content::WaitForInterstitialAttach(shell()->web_contents());
|
| + WaitForInterstitialAttach(shell()->web_contents());
|
|
|
| InterstitialPage* interstitial_page =
|
| shell()->web_contents()->GetInterstitialPage();
|
| @@ -298,7 +325,7 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
|
| // Send an automation message from the underlying content and wait for it to
|
| // be dispatched on this thread. This message should not be received by the
|
| // interstitial.
|
| - content::RenderFrameHost* compromised_renderer =
|
| + RenderFrameHost* compromised_renderer =
|
| shell()->web_contents()->GetMainFrame();
|
| FrameHostMsg_DomOperationResponse evil(compromised_renderer->GetRoutingID(),
|
| "evil", MSG_ROUTING_NONE);
|
| @@ -313,12 +340,97 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
|
|
|
| // Send a second message from the interstitial page, and make sure that the
|
| // "evil" message doesn't arrive in the intervening period.
|
| - ASSERT_TRUE(content::ExecuteScript(
|
| - interstitial_page->GetMainFrame(),
|
| - "window.domAutomationController.send(\"okay2\");"));
|
| + ASSERT_TRUE(ExecuteScript(interstitial_page->GetMainFrame(),
|
| + "window.domAutomationController.send(\"okay2\");"));
|
| ASSERT_TRUE(message_queue.WaitForMessage(&message));
|
| ASSERT_EQ("\"okay2\"", message);
|
| ASSERT_EQ("\"okay2\"", interstitial->last_command());
|
| }
|
|
|
| +class IsolatedAppContentBrowserClient : public TestContentBrowserClient {
|
| + public:
|
| + bool IsIllegalOrigin(content::ResourceContext* resource_context,
|
| + int child_process_id,
|
| + const GURL& origin) override {
|
| + // Simulate a case where an app origin is not in an app process.
|
| + return true;
|
| + }
|
| +};
|
| +
|
| +// Renderer processes should not be able to spoof Origin HTTP headers.
|
| +IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, InvalidOriginHeaders) {
|
| + // Create a set of IPC messages with various Origin headers.
|
| + ResourceHostMsg_Request chrome_origin_msg(
|
| + CreateXHRRequestWithOrigin("chrome://settings"));
|
| + ResourceHostMsg_Request embedder_isolated_origin_msg(
|
| + CreateXHRRequestWithOrigin("https://isolated.bar.com"));
|
| + ResourceHostMsg_Request invalid_origin_msg(
|
| + CreateXHRRequestWithOrigin("invalidurl"));
|
| + ResourceHostMsg_Request invalid_scheme_origin_msg(
|
| + CreateXHRRequestWithOrigin("fake-scheme://foo"));
|
| +
|
| + GURL web_url("http://foo.com/simple_page.html");
|
| + NavigateToURL(shell(), web_url);
|
| + RenderFrameHost* web_rfh = shell()->web_contents()->GetMainFrame();
|
| +
|
| + // Web processes cannot make XHRs with chrome:// Origin headers.
|
| + {
|
| + RenderProcessHostWatcher web_process_killed(
|
| + web_rfh->GetProcess(),
|
| + RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
|
| + IPC::IpcSecurityTestUtil::PwnMessageReceived(
|
| + web_rfh->GetProcess()->GetChannel(),
|
| + ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(), 1,
|
| + chrome_origin_msg));
|
| + web_process_killed.Wait();
|
| + }
|
| +
|
| + // Web processes cannot make XHRs with URLs that the content embedder expects
|
| + // to have process isolation. Ideally this would test chrome-extension://
|
| + // URLs for Chrome Apps, but those can't be tested inside content/ and the
|
| + // ResourceHostMsg_Request IPC can't be created in a test outside content/.
|
| + NavigateToURL(shell(), web_url);
|
| + {
|
| + // Set up a ContentBrowserClient that simulates an app URL in a non-app
|
| + // process.
|
| + IsolatedAppContentBrowserClient app_client;
|
| + ContentBrowserClient* old_client = SetBrowserClientForTesting(&app_client);
|
| + RenderProcessHostWatcher web_process_killed(
|
| + web_rfh->GetProcess(),
|
| + RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
|
| + IPC::IpcSecurityTestUtil::PwnMessageReceived(
|
| + web_rfh->GetProcess()->GetChannel(),
|
| + ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(), 1,
|
| + embedder_isolated_origin_msg));
|
| + web_process_killed.Wait();
|
| + SetBrowserClientForTesting(old_client);
|
| + }
|
| +
|
| + // Web processes cannot make XHRs with invalid Origin headers.
|
| + NavigateToURL(shell(), web_url);
|
| + {
|
| + RenderProcessHostWatcher web_process_killed(
|
| + web_rfh->GetProcess(),
|
| + RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
|
| + IPC::IpcSecurityTestUtil::PwnMessageReceived(
|
| + web_rfh->GetProcess()->GetChannel(),
|
| + ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(), 1,
|
| + invalid_origin_msg));
|
| + web_process_killed.Wait();
|
| + }
|
| +
|
| + // Web processes cannot make XHRs with invalid scheme Origin headers.
|
| + NavigateToURL(shell(), web_url);
|
| + {
|
| + RenderProcessHostWatcher web_process_killed(
|
| + web_rfh->GetProcess(),
|
| + RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
|
| + IPC::IpcSecurityTestUtil::PwnMessageReceived(
|
| + web_rfh->GetProcess()->GetChannel(),
|
| + ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(), 1,
|
| + invalid_scheme_origin_msg));
|
| + web_process_killed.Wait();
|
| + }
|
| +}
|
| +
|
| } // namespace content
|
|
|
Chromium Code Reviews
Issue 1270663002:
Validate the Origin HTTP header in the browser process. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master