| Index: content/browser/frame_host/navigator_impl_unittest.cc
|
| diff --git a/content/browser/frame_host/navigator_impl_unittest.cc b/content/browser/frame_host/navigator_impl_unittest.cc
|
| index efb85766a817bd414a0de3a5063f90886c805664..28cce0799b7ad897534eea5134c33ae9466928cc 100644
|
| --- a/content/browser/frame_host/navigator_impl_unittest.cc
|
| +++ b/content/browser/frame_host/navigator_impl_unittest.cc
|
| @@ -1146,4 +1146,34 @@ TEST_F(NavigatorTestWithBrowserSideNavigation,
|
| }
|
| }
|
|
|
| +namespace {
|
| +void SetWithinPage(const GURL& url,
|
| + FrameHostMsg_DidCommitProvisionalLoad_Params* params) {
|
| + params->was_within_same_page = true;
|
| + params->url = url;
|
| +}
|
| +}
|
| +
|
| +// A renderer process might try and claim that a cross site navigation was
|
| +// within the same page by setting was_within_same_page = true for
|
| +// FrameHostMsg_DidCommitProvisionalLoad. Such case should be detected on the
|
| +// browser side and the renderer process should be killed.
|
| +TEST_F(NavigatorTestWithBrowserSideNavigation, CrossSiteClaimWithinPage) {
|
| + const GURL kUrl1("http://www.chromium.org/");
|
| + const GURL kUrl2("http://www.google.com/");
|
| +
|
| + contents()->NavigateAndCommit(kUrl1);
|
| + FrameTreeNode* node = main_test_rfh()->frame_tree_node();
|
| +
|
| + // Navigate to a different site.
|
| + int entry_id = RequestNavigation(node, kUrl2);
|
| + main_test_rfh()->PrepareForCommit();
|
| +
|
| + // Claim that the navigation was within same page.
|
| + int bad_msg_count = process()->bad_msg_count();
|
| + GetSpeculativeRenderFrameHost(node)->SendNavigateWithModificationCallback(
|
| + 0, entry_id, true, kUrl2, base::Bind(SetWithinPage, kUrl1));
|
| + EXPECT_EQ(process()->bad_msg_count(), bad_msg_count + 1);
|
| +}
|
| +
|
| } // namespace content
|
|
|
Chromium Code Reviews
Issue 1738233002:
Disallow was_within_same_page = true for a cross-process navigation (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master