Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(535)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/browser/web_contents/web_contents_impl_browsertest.cc

Issue 1917073002: Block webpages from navigating to view-source URLs (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Add layout and browser tests Created 4 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« content/browser/browser_side_navigation_browsertest.cc ('K') | « content/browser/site_per_process_browsertest.cc ('k') | content/browser/web_contents/web_contents_impl_unittest.cc » ('j') | content/public/test/content_browser_test_utils.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/browser/web_contents/web_contents_impl_browsertest.cc
diff --git a/content/browser/web_contents/web_contents_impl_browsertest.cc b/content/browser/web_contents/web_contents_impl_browsertest.cc
index 55e00c56a3ffd08c3d3b1d99be653b83ba2fa5e5..aa27413b6732d97b868f666cdfe5b9dbfb3419e1 100644
--- a/content/browser/web_contents/web_contents_impl_browsertest.cc
+++ b/content/browser/web_contents/web_contents_impl_browsertest.cc
@@ -770,6 +770,66 @@ IN_PROC_BROWSER_TEST_F(WebContentsImplBrowserTest, ChangePageScale) {
observer.WaitForPageScaleUpdate();
}
+// Test that a direct navigation to a view-source URL works.
+IN_PROC_BROWSER_TEST_F(WebContentsImplBrowserTest, ViewSourceDirectNavigation) {
+ ASSERT_TRUE(embedded_test_server()->Start());
+ const GURL kUrl(embedded_test_server()->GetURL("/simple_page.html"));
+ const GURL kViewSourceURL(kViewSourceScheme + std::string(":") + kUrl.spec());
+ NavigateToURL(shell(), kViewSourceURL);
+ // Displayed view-source URLs don't include the scheme of the effective URL
Charlie Reis 2016/05/24 22:54:16 nit: Just for HTTP, right?
meacer 2016/05/31 23:57:54 Done.
+ // (e.g. view-source:example.com instead of view-source:http://example.com).
+ EXPECT_EQ(base::ASCIIToUTF16(std::string("view-source:") + kUrl.host() + ":" +
+ kUrl.port() + kUrl.path()),
+ shell()->web_contents()->GetTitle());
Charlie Reis 2016/05/24 22:54:16 Maybe we can also check that we're in view-source
meacer 2016/05/31 23:57:54 Done, except for window.open case where there is n
+}
+
+// Test that window.open to a view-source URL is blocked.
+IN_PROC_BROWSER_TEST_F(WebContentsImplBrowserTest,
+ ViewSourceWindowOpen_ShouldBeBlocked) {
+ ASSERT_TRUE(embedded_test_server()->Start());
+ const GURL kUrl(embedded_test_server()->GetURL("/simple_page.html"));
+ const GURL kViewSourceURL(kViewSourceScheme + std::string(":") + kUrl.spec());
+ NavigateToURL(shell(), kUrl);
+
+ ShellAddedObserver new_shell_observer;
+ EXPECT_TRUE(ExecuteScript(shell()->web_contents(),
+ "window.open('" + kViewSourceURL.spec() + "');"));
+ Shell* new_shell = new_shell_observer.GetShell();
+ WaitForLoadStop(new_shell->web_contents());
+ // EXPECT_EQ("", static_cast<WebContentsImpl*>(new_shell->web_contents())
Charlie Reis 2016/05/24 22:54:16 nit: Remove.
meacer 2016/05/31 23:57:54 Done.
+ EXPECT_EQ("", new_shell->web_contents()->GetURL().spec());
Charlie Reis 2016/05/24 22:54:16 Can we use a ConsoleObserverDelegate on shell() in
meacer 2016/05/31 23:57:54 Unfortunately no, because the console message gets
Charlie Reis 2016/06/01 22:59:51 Acknowledged.
+}
+
+// Test that a content initiated navigation to a view-source URL is blocked.
+IN_PROC_BROWSER_TEST_F(WebContentsImplBrowserTest,
+ ViewSourceRedirect_ShouldBeBlocked) {
+ ASSERT_TRUE(embedded_test_server()->Start());
+ const GURL kUrl(embedded_test_server()->GetURL("/simple_page.html"));
+ const GURL kViewSourceURL(kViewSourceScheme + std::string(":") + kUrl.spec());
+ NavigateToURL(shell(), kUrl);
+
+ std::unique_ptr<ConsoleObserverDelegate> console_delegate(
+ new ConsoleObserverDelegate(
+ shell()->web_contents(),
+ "Not allowed to load local resource: view-source:*"));
+ shell()->web_contents()->SetDelegate(console_delegate.get());
+
+ EXPECT_TRUE(
+ ExecuteScript(shell()->web_contents(),
+ "window.location = '" + kViewSourceURL.spec() + "';"));
+ console_delegate->Wait();
+ // Original page shouldn't navigate away.
+ EXPECT_EQ(kUrl, shell()->web_contents()->GetURL());
+}
+
+// Test that view source mode for a webui page can be opened.
+IN_PROC_BROWSER_TEST_F(WebContentsImplBrowserTest, ViewSourceWebUI) {
+ const char kUrl[] = "view-source:chrome://chrome/settings";
+ const GURL kGURL(kUrl);
+ NavigateToURL(shell(), kGURL);
+ EXPECT_EQ(base::ASCIIToUTF16(kUrl), shell()->web_contents()->GetTitle());
+}
+
IN_PROC_BROWSER_TEST_F(WebContentsImplBrowserTest, NewNamedWindow) {
ASSERT_TRUE(embedded_test_server()->Start());
« content/browser/browser_side_navigation_browsertest.cc ('K') | « content/browser/site_per_process_browsertest.cc ('k') | content/browser/web_contents/web_contents_impl_unittest.cc » ('j') | content/public/test/content_browser_test_utils.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698