Prevent leaking PDF data cross-origin

chrome/browser/pdf/pdf_extension_test.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <vector>
 
 #include "base/base_paths.h"
 #include "base/files/file_enumerator.h"
 #include "base/files/file_util.h"
 #include "base/hash.h"
@@ skipping 25 matching lines @@
 #include "content/public/test/browser_test_utils.h"
 #include "extensions/browser/extension_registry.h"
 #include "extensions/common/manifest_handlers/mime_types_handler.h"
 #include "extensions/test/result_catcher.h"
 #include "net/test/embedded_test_server/embedded_test_server.h"
 #include "ui/base/resource/resource_bundle.h"
 #include "url/gurl.h"
 
 const int kNumberLoadTestParts = 10;
 
+bool GetGuestCallback(content::WebContents** guest_out,
+                      content::WebContents* guest) {
+  EXPECT_FALSE(*guest_out);
+  *guest_out = guest;
+  // Return false so that we iterate through all the guests and verify there is
+  // only one.
+  return false;
+}
+
 class PDFExtensionTest : public ExtensionApiTest,
                          public testing::WithParamInterface<int> {
  public:
   ~PDFExtensionTest() override {}
 
   void SetUpCommandLine(base::CommandLine* command_line) override {
     command_line->AppendSwitch(switches::kDisablePdfMaterialUI);
   }
 
   void SetUpOnMainThread() override {
@@ skipping 95 matching lines @@
         LOG(INFO) << "Loading: " << pdf_file;
         bool success = LoadPdf(embedded_test_server()->GetURL("/" + pdf_file));
         EXPECT_EQ(!PdfIsExpectedToFailLoad(pdf_file), success);
       }
       ++count;
     }
     // Assume that there is at least 1 pdf in the directory to guard against
     // someone deleting the directory and silently making the test pass.
     ASSERT_GE(count, 1u);
   }
+
+  void TestGetSelectedTextReply(GURL url, bool expect_success) {
+    ui_test_utils::NavigateToURL(browser(), url);
+    content::WebContents* web_contents =
+        browser()->tab_strip_model()->GetActiveWebContents();
+    ASSERT_TRUE(pdf_extension_test_util::EnsurePDFHasLoaded(web_contents));
+
+    // Reach into the guest and hook into it such that it posts back a 'flush'
+    // message after every getSelectedTextReply message sent.
+    content::BrowserPluginGuestManager* guest_manager =
+        web_contents->GetBrowserContext()->GetGuestManager();
+    content::WebContents* guest_contents = nullptr;
+    ASSERT_NO_FATAL_FAILURE(guest_manager->ForEachGuest(
+        web_contents, base::Bind(&GetGuestCallback, &guest_contents)));
+    ASSERT_TRUE(guest_contents);
+    ASSERT_TRUE(content::ExecuteScript(
+        guest_contents,
+        "var oldSendScriptingMessage = "
+        "    PDFViewer.prototype.sendScriptingMessage_;"
+        "PDFViewer.prototype.sendScriptingMessage_ = function(message) {"
+        "  oldSendScriptingMessage.bind(this)(message);"
+        "  if (message.type == 'getSelectedTextReply')"
+        "    this.parentWindow_.postMessage('flush', '*');"
+        "}"));
+
+    // Add an event listener for flush messages and request the selected text.
+    // If we get a flush message without receiving getSelectedText we know that
+    // the message didn't come through.
+    bool success = false;
+    ASSERT_TRUE(content::ExecuteScriptAndExtractBool(
+        web_contents,
+        "window.addEventListener('message', function(event) {"
+        "  if (event.data == 'flush')"
+        "    window.domAutomationController.send(false);"
+        "  if (event.data.type == 'getSelectedTextReply')"
+        "    window.domAutomationController.send(true);"
+        "});"
+        "document.getElementsByTagName('embed')[0].postMessage("
+        "    {type: 'getSelectedText'});",
+        &success));
+    ASSERT_EQ(expect_success, success);
+  }
 };
 
 IN_PROC_BROWSER_TEST_P(PDFExtensionTest, Load) {
 #if defined(GOOGLE_CHROME_BUILD)
   // Load private PDFs.
   LoadAllPdfsTest("pdf_private", GetParam());
 #endif
   // Load public PDFs.
   LoadAllPdfsTest("pdf", GetParam());
 }
@@ skipping 97 matching lines @@
 }
 
 IN_PROC_BROWSER_TEST_F(PDFExtensionTest, ParamsParser) {
   RunTestsInFile("params_parser_test.js", "test.pdf");
 }
 
 IN_PROC_BROWSER_TEST_F(PDFExtensionTest, ZoomManager) {
   RunTestsInFile("zoom_manager_test.js", "test.pdf");
 }
 
+// Ensure that the internal PDF plugin application/x-google-chrome-pdf won't be
+// loaded if it's not loaded in the chrome extension page.
+IN_PROC_BROWSER_TEST_F(PDFExtensionTest, EnsureInternalPluginDisabled) {
+  std::string url = embedded_test_server()->GetURL("/pdf/test.pdf").spec();
+  std::string data_url =
+      "data:text/html,"
+      "<html><body>"
+      "<embed type=\"application/x-google-chrome-pdf\" src=\"" +
+      url +
+      "\">"
+      "</body></html>";
+  ui_test_utils::NavigateToURL(browser(), GURL(data_url));
+  content::WebContents* web_contents =
+      browser()->tab_strip_model()->GetActiveWebContents();
+  bool plugin_loaded = false;
+  ASSERT_TRUE(content::ExecuteScriptAndExtractBool(
+      web_contents,
+      "var plugin_loaded = "
+      "    document.getElementsByTagName('embed')[0].postMessage !== undefined;"
+      "window.domAutomationController.send(plugin_loaded);",
+      &plugin_loaded));
+  ASSERT_FALSE(plugin_loaded);
+}
+
+// Ensure cross-origin replies won't work for getSelectedText.
+IN_PROC_BROWSER_TEST_F(PDFExtensionTest, EnsureCrossOriginRepliesBlocked) {
+  std::string url = embedded_test_server()->GetURL("/pdf/test.pdf").spec();
+  std::string data_url =
+      "data:text/html,"
+      "<html><body>"
+      "<embed type=\"application/pdf\" src=\"" +
+      url +
+      "\">"
+      "</body></html>";
+  TestGetSelectedTextReply(GURL(data_url), false);
+}
+
+// Ensure same-origin replies do work for getSelectedText.
+IN_PROC_BROWSER_TEST_F(PDFExtensionTest, EnsureSameOriginRepliesAllowed) {
+  TestGetSelectedTextReply(embedded_test_server()->GetURL("/pdf/test.pdf"),
+                           true);
+}
+
 class MaterialPDFExtensionTest : public PDFExtensionTest {
   void SetUpCommandLine(base::CommandLine* command_line) override {
     command_line->AppendSwitch(switches::kEnablePdfMaterialUI);
   }
 };
 
 IN_PROC_BROWSER_TEST_F(MaterialPDFExtensionTest, Basic) {
   RunTestsInFile("basic_test_material.js", "test.pdf");
 }
 
@@ skipping 23 matching lines @@
 
 IN_PROC_BROWSER_TEST_F(MaterialPDFExtensionTest, Elements) {
   // Although this test file does not require a PDF to be loaded, loading the
   // elements without loading a PDF is difficult.
   RunTestsInFile("material_elements_test.js", "test.pdf");
 }
 
 IN_PROC_BROWSER_TEST_F(MaterialPDFExtensionTest, ToolbarManager) {
   RunTestsInFile("toolbar_manager_test.js", "test.pdf");
 }