Fix in-page logic for allow_universal_access_from_files.

content/browser/frame_host/navigation_controller_impl_unittest.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/basictypes.h"
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "base/files/file_util.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/stl_util.h"
@@ skipping 3587 matching lines @@
   // Going back to the non ref url will be considered in-page if the navigation
   // type is IN_PAGE.
   EXPECT_TRUE(controller.IsURLInPageNavigation(url, true,
       main_test_rfh()));
 
   // If the renderer says this is a same-origin in-page navigation, believe it.
   // This is the pushState/replaceState case.
   EXPECT_TRUE(controller.IsURLInPageNavigation(other_url, true,
       main_test_rfh()));
 
+  // Don't believe the renderer if it claims a cross-origin navigation is
+  // in-page.
+  const GURL different_origin_url("http://www.example.com");
+  MockRenderProcessHost* rph = main_test_rfh()->GetProcess();
+  EXPECT_EQ(0, rph->bad_msg_count());
+  EXPECT_FALSE(controller.IsURLInPageNavigation(different_origin_url, true,
+                                                main_test_rfh()));
+  EXPECT_EQ(1, rph->bad_msg_count());
+}
+
+// Tests that IsInPageNavigation behaves properly with the
+// allow_universal_access_from_file_urls flag.
+TEST_F(NavigationControllerTest, IsInPageNavigationWithUniversalFileAccess) {
+  NavigationControllerImpl& controller = controller_impl();
+
   // Test allow_universal_access_from_file_urls flag.
   const GURL different_origin_url("http://www.example.com");
   MockRenderProcessHost* rph = main_test_rfh()->GetProcess();
   WebPreferences prefs = test_rvh()->GetWebkitPreferences();
   prefs.allow_universal_access_from_file_urls = true;
   test_rvh()->UpdateWebkitPreferences(prefs);
   prefs = test_rvh()->GetWebkitPreferences();
   EXPECT_TRUE(prefs.allow_universal_access_from_file_urls);
-  // Allow in page navigation if existing URL is file scheme.
+
+  // Allow in page navigation to be cross-origin if existing URL is file scheme.
   const GURL file_url("file:///foo/index.html");
-  main_test_rfh()->NavigateAndCommitRendererInitiated(0, false, file_url);
+  const url::Origin file_origin(file_url);
+  main_test_rfh()->NavigateAndCommitRendererInitiated(0, true, file_url);
+  EXPECT_TRUE(file_origin.IsSameOriginWith(
+      main_test_rfh()->frame_tree_node()->current_origin()));
   EXPECT_EQ(0, rph->bad_msg_count());
   EXPECT_TRUE(controller.IsURLInPageNavigation(different_origin_url, true,
       main_test_rfh()));
   EXPECT_EQ(0, rph->bad_msg_count());
-  // Don't honor allow_universal_access_from_file_urls if existing URL is
+
+  // Doing a replaceState to a cross-origin URL is thus allowed.
+  FrameHostMsg_DidCommitProvisionalLoad_Params params;
+  params.page_id = 1;
+  params.nav_entry_id = 1;
+  params.did_create_new_entry = false;
+  params.url = different_origin_url;
+  params.origin = file_origin;
+  params.transition = ui::PAGE_TRANSITION_LINK;
+  params.gesture = NavigationGestureUser;
+  params.page_state = PageState::CreateFromURL(different_origin_url);
+  params.was_within_same_page = true;
+  params.is_post = false;
+  params.post_id = -1;
+  main_test_rfh()->SendRendererInitiatedNavigationRequest(different_origin_url,
+                                                          false);
+  main_test_rfh()->PrepareForCommit();
+  contents()->GetMainFrame()->SendNavigateWithParams(&params);
+
+  // At this point, we should still consider the current origin to be file://,
+  // so that a file URL would still be in-page.  See https://crbug.com/553418.
+  EXPECT_TRUE(file_origin.IsSameOriginWith(
+      main_test_rfh()->frame_tree_node()->current_origin()));
+  EXPECT_TRUE(
+      controller.IsURLInPageNavigation(file_url, true, main_test_rfh()));
+  EXPECT_EQ(0, rph->bad_msg_count());
+
+  // Don't honor allow_universal_access_from_file_urls if actual URL is
   // not file scheme.
-  main_test_rfh()->NavigateAndCommitRendererInitiated(0, false, url);
+  const GURL url("http://www.google.com/home.html");
+  main_test_rfh()->NavigateAndCommitRendererInitiated(2, true, url);
   EXPECT_FALSE(controller.IsURLInPageNavigation(different_origin_url, true,
       main_test_rfh()));
   EXPECT_EQ(1, rph->bad_msg_count());
-
-  // Remove allow_universal_access_from_file_urls flag.
-  prefs.allow_universal_access_from_file_urls = false;
-  test_rvh()->UpdateWebkitPreferences(prefs);
-  prefs = test_rvh()->GetWebkitPreferences();
-  EXPECT_FALSE(prefs.allow_universal_access_from_file_urls);
-
-  // Don't believe the renderer if it claims a cross-origin navigation is
-  // in-page.
-  EXPECT_EQ(1, rph->bad_msg_count());
-  EXPECT_FALSE(controller.IsURLInPageNavigation(different_origin_url, true,
-      main_test_rfh()));
-  EXPECT_EQ(2, rph->bad_msg_count());
 }
 
 // Some pages can have subframes with the same base URL (minus the reference) as
 // the main page. Even though this is hard, it can happen, and we don't want
 // these subframe navigations to affect the toplevel document. They should
 // instead be ignored.  http://crbug.com/5585
 TEST_F(NavigationControllerTest, SameSubframe) {
   NavigationControllerImpl& controller = controller_impl();
   // Navigate the main frame.
   const GURL url("http://www.google.com/");
@@ skipping 1404 matching lines @@
   EXPECT_EQ(default_ssl_status.connection_status,
             details.ssl_status.connection_status);
   EXPECT_EQ(default_ssl_status.content_status,
             details.ssl_status.content_status);
   EXPECT_EQ(0u, details.ssl_status.signed_certificate_timestamp_ids.size());
 
   EXPECT_EQ(1, main_test_rfh()->GetProcess()->bad_msg_count());
 }
 
 }  // namespace content