Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1289)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/browser/site_per_process_browsertest.cc

Issue 1812723002: Add URL validation to navigations initiated via RenderFrameProxyHosts. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 4 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« content/browser/frame_host/render_frame_proxy_host.cc ('K') | « content/browser/frame_host/render_frame_proxy_host.cc ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/browser/site_per_process_browsertest.cc
diff --git a/content/browser/site_per_process_browsertest.cc b/content/browser/site_per_process_browsertest.cc
index 039a331eafa71efa0e1b3dac131aeb9b0f3b68c4..09df1c951fb5018962da8aee2143ed68aff5c1ae 100644
--- a/content/browser/site_per_process_browsertest.cc
+++ b/content/browser/site_per_process_browsertest.cc
@@ -40,6 +40,7 @@
#include "content/public/browser/resource_dispatcher_host.h"
#include "content/public/common/browser_side_navigation_policy.h"
#include "content/public/common/content_switches.h"
+#include "content/public/common/url_constants.h"
#include "content/public/test/browser_test_utils.h"
#include "content/public/test/content_browser_test_utils.h"
#include "content/public/test/test_navigation_observer.h"
@@ -3667,6 +3668,42 @@ IN_PROC_BROWSER_TEST_F(SitePerProcessBrowserTest, OpenPopupWithRemoteParent) {
EXPECT_TRUE(success);
}
+// Test that cross-process popups can't be navigated to disallowed URLs by
+// their opener. This ensures that proper URL validation is performed when
+// RenderFrameProxyHosts are navigated. See https://crbug.com/595339.
+IN_PROC_BROWSER_TEST_F(SitePerProcessBrowserTest, NavigatePopupToIllegalURL) {
+ GURL main_url(embedded_test_server()->GetURL("a.com", "/title1.html"));
+ EXPECT_TRUE(NavigateToURL(shell(), main_url));
+
+ // Open a cross-site popup.
+ GURL popup_url(embedded_test_server()->GetURL("b.com", "/title2.html"));
+ Shell* popup = OpenPopup(shell()->web_contents(), popup_url, "foo");
+ EXPECT_TRUE(popup);
+ EXPECT_NE(popup->web_contents()->GetSiteInstance(),
+ shell()->web_contents()->GetSiteInstance());
+
+ // From the opener, navigate the popup to a file:/// URL. This should be
+ // disallowed and result in an about:blank navigation.
+ GURL file_url("file:///");
+ NavigateNamedFrame(shell()->web_contents(), file_url, "foo");
+ EXPECT_TRUE(WaitForLoadStop(popup->web_contents()));
+ EXPECT_EQ(GURL(url::kAboutBlankURL),
+ popup->web_contents()->GetLastCommittedURL());
+
+ // Navigate popup back to a cross-site URL.
+ EXPECT_TRUE(NavigateToURL(popup, popup_url));
+ EXPECT_NE(popup->web_contents()->GetSiteInstance(),
+ shell()->web_contents()->GetSiteInstance());
+
+ // Now try the same test with a chrome:// URL.
+ GURL chrome_url(std::string(kChromeUIScheme) + "://" +
+ std::string(kChromeUIGpuHost));
+ NavigateNamedFrame(shell()->web_contents(), chrome_url, "foo");
+ EXPECT_TRUE(WaitForLoadStop(popup->web_contents()));
+ EXPECT_EQ(GURL(url::kAboutBlankURL),
+ popup->web_contents()->GetLastCommittedURL());
+}
+
// Verify that named frames are discoverable from their opener's ancestors.
// See https://crbug.com/511474.
IN_PROC_BROWSER_TEST_F(SitePerProcessBrowserTest,
« content/browser/frame_host/render_frame_proxy_host.cc ('K') | « content/browser/frame_host/render_frame_proxy_host.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698