chrome/browser/extensions/service_worker_apitest.cc - Issue 2009453002: service worker: Don't control a subframe of an insecure context

Side by Side Diff: chrome/browser/extensions/service_worker_apitest.cc

Issue 2009453002: service worker: Don't control a subframe of an insecure context (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: kinuko comments Created 4 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« no previous file with comments | « chrome/browser/chrome_content_browser_client.cc ('k') | content/browser/service_worker/service_worker_browsertest.cc » ('j') | no next file with comments »

OLD	NEW
1 // Copyright 2015 The Chromium Authors. All rights reserved.	1 // Copyright 2015 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include <stdint.h>	5 #include <stdint.h>

6	6

7 #include "base/bind_helpers.h"	7 #include "base/bind_helpers.h"

8 #include "base/macros.h"	8 #include "base/macros.h"

9 #include "base/strings/stringprintf.h"	9 #include "base/strings/stringprintf.h"

10 #include "base/strings/utf_string_conversions.h"	10 #include "base/strings/utf_string_conversions.h"

11 #include "chrome/browser/extensions/extension_apitest.h"	11 #include "chrome/browser/extensions/extension_apitest.h"

12 #include "chrome/browser/extensions/extension_service.h"	12 #include "chrome/browser/extensions/extension_service.h"

13 #include "chrome/browser/notifications/desktop_notification_profile_util.h"	13 #include "chrome/browser/notifications/desktop_notification_profile_util.h"

14 #include "chrome/browser/push_messaging/push_messaging_app_identifier.h"	14 #include "chrome/browser/push_messaging/push_messaging_app_identifier.h"

15 #include "chrome/browser/push_messaging/push_messaging_service_factory.h"	15 #include "chrome/browser/push_messaging/push_messaging_service_factory.h"

16 #include "chrome/browser/push_messaging/push_messaging_service_impl.h"	16 #include "chrome/browser/push_messaging/push_messaging_service_impl.h"

17 #include "chrome/browser/services/gcm/fake_gcm_profile_service.h"	17 #include "chrome/browser/services/gcm/fake_gcm_profile_service.h"

18 #include "chrome/browser/services/gcm/gcm_profile_service_factory.h"	18 #include "chrome/browser/services/gcm/gcm_profile_service_factory.h"

19 #include "chrome/browser/ui/tabs/tab_strip_model.h"	19 #include "chrome/browser/ui/tabs/tab_strip_model.h"

20 #include "chrome/test/base/ui_test_utils.h"	20 #include "chrome/test/base/ui_test_utils.h"

21 #include "components/version_info/version_info.h"	21 #include "components/version_info/version_info.h"

22 #include "content/public/browser/navigation_controller.h"	22 #include "content/public/browser/navigation_controller.h"

23 #include "content/public/browser/navigation_entry.h"	23 #include "content/public/browser/navigation_entry.h"

24 #include "content/public/browser/web_contents.h"	24 #include "content/public/browser/web_contents.h"

25 #include "content/public/common/content_switches.h"	25 #include "content/public/common/content_switches.h"

	26 #include "content/public/common/origin_util.h"

26 #include "content/public/common/page_type.h"	27 #include "content/public/common/page_type.h"

27 #include "content/public/test/background_sync_test_util.h"	28 #include "content/public/test/background_sync_test_util.h"

28 #include "content/public/test/browser_test_utils.h"	29 #include "content/public/test/browser_test_utils.h"

29 #include "extensions/browser/extension_host.h"	30 #include "extensions/browser/extension_host.h"

30 #include "extensions/browser/extension_registry.h"	31 #include "extensions/browser/extension_registry.h"

31 #include "extensions/browser/process_manager.h"	32 #include "extensions/browser/process_manager.h"

32 #include "extensions/test/background_page_watcher.h"	33 #include "extensions/test/background_page_watcher.h"

33 #include "extensions/test/extension_test_message_listener.h"	34 #include "extensions/test/extension_test_message_listener.h"

	35 #include "net/dns/mock_host_resolver.h"

34 #include "net/test/embedded_test_server/embedded_test_server.h"	36 #include "net/test/embedded_test_server/embedded_test_server.h"

35	37

36 namespace extensions {	38 namespace extensions {

37	39

38 namespace {	40 namespace {

39	41

40 // Pass into ServiceWorkerTest::StartTestFromBackgroundPage to indicate that	42 // Pass into ServiceWorkerTest::StartTestFromBackgroundPage to indicate that

41 // registration is expected to succeed.	43 // registration is expected to succeed.

42 std::string* const kExpectSuccess = nullptr;	44 std::string* const kExpectSuccess = nullptr;

43	45

(...skipping 581 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
625 // This test also verifies that if the requested resource exists in the manifest	627 // This test also verifies that if the requested resource exists in the manifest

626 // but is not present in the extension directory, the Service Worker can still	628 // but is not present in the extension directory, the Service Worker can still

627 // serve the resource file.	629 // serve the resource file.

628 IN_PROC_BROWSER_TEST_F(ServiceWorkerTest, WebAccessibleResourcesIframeSrc) {	630 IN_PROC_BROWSER_TEST_F(ServiceWorkerTest, WebAccessibleResourcesIframeSrc) {

629 const Extension* extension = LoadExtensionWithFlags(	631 const Extension* extension = LoadExtensionWithFlags(

630 test_data_dir_.AppendASCII(	632 test_data_dir_.AppendASCII(

631 "service_worker/web_accessible_resources/iframe_src"),	633 "service_worker/web_accessible_resources/iframe_src"),

632 kFlagNone);	634 kFlagNone);

633 ASSERT_TRUE(extension);	635 ASSERT_TRUE(extension);

634 ASSERT_TRUE(StartEmbeddedTestServer());	636 ASSERT_TRUE(StartEmbeddedTestServer());

635 GURL page_url = embedded_test_server()->GetURL(	637

636 "/extensions/api_test/service_worker/web_accessible_resources/"	638 // Extension service workers must be able to control insecure contexts. So set
	Devlin 2016/06/06 15:20:57 I don't quite understand this comment. I'm assumi I don't quite understand this comment. I'm assuming "insecure context" refers to a.com? The extension isn't actually controlling the insecure context at all (we don't allow extensions to serve up other origins) - it just controls and extension page (secure context) iframed within an insecure context. Right? Or am I missing something? Marijn Kruisselbrink 2016/06/06 17:31:20 An iframe within an insecure context is itself an Show quoted text On 2016/06/06 at 15:20:57, Devlin wrote: > I don't quite understand this comment. I'm assuming "insecure context" refers to a.com? The extension isn't actually controlling the insecure context at all (we don't allow extensions to serve up other origins) - it just controls and extension page (secure context) iframed within an insecure context. Right? Or am I missing something? An iframe within an insecure context is itself an insecure context, even if it is served from a secure scheme like https (see example 7 in https://w3c.github.io/webappsec-secure-contexts/#examples-framed). But yes, it does seem like the comment could do a better job explaining what this code is doing (probably by mentioning iframes inside insecure contexts rather than just insecure contexts). falken 2016/06/07 01:15:30 Thanks, I revised the comment. What do you think? Show quoted text On 2016/06/06 17:31:20, Marijn Kruisselbrink wrote: > On 2016/06/06 at 15:20:57, Devlin wrote: > > I don't quite understand this comment. I'm assuming "insecure context" refers > to a.com? The extension isn't actually controlling the insecure context at all > (we don't allow extensions to serve up other origins) - it just controls and > extension page (secure context) iframed within an insecure context. Right? Or > am I missing something? > > An iframe within an insecure context is itself an insecure context, even if it > is served from a secure scheme like https (see example 7 in > https://w3c.github.io/webappsec-secure-contexts/#examples-framed). But yes, it > does seem like the comment could do a better job explaining what this code is > doing (probably by mentioning iframes inside insecure contexts rather than just > insecure contexts). Thanks, I revised the comment. What do you think?
637 "webpage.html");	639 // up an insecure URL.

	640 host_resolver()->AddRule("a.com", "127.0.0.1");

	641 GURL page_url =

	642 embedded_test_server()->GetURL("a.com",

	643 "/extensions/api_test/service_worker/"

	644 "web_accessible_resources/webpage.html");

	645 EXPECT_FALSE(content::IsOriginSecure(page_url));

638	646

639 content::WebContents* web_contents = AddTab(browser(), page_url);	647 content::WebContents* web_contents = AddTab(browser(), page_url);

640 std::string result;	648 std::string result;

641 // webpage.html will create an iframe pointing to a resource from \|extension\|.	649 // webpage.html will create an iframe pointing to a resource from \|extension\|.

642 // Expect the resource to be served by the extension.	650 // Expect the resource to be served by the extension.

643 EXPECT_TRUE(content::ExecuteScriptAndExtractString(	651 EXPECT_TRUE(content::ExecuteScriptAndExtractString(

644 web_contents, base::StringPrintf("window.testIframe('%s', 'iframe.html')",	652 web_contents, base::StringPrintf("window.testIframe('%s', 'iframe.html')",

645 extension->id().c_str()),	653 extension->id().c_str()),

646 &result));	654 &result));

647 EXPECT_EQ("FROM_EXTENSION_RESOURCE", result);	655 EXPECT_EQ("FROM_EXTENSION_RESOURCE", result);

(...skipping 106 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
754 message.sender_id = "1234567890";	762 message.sender_id = "1234567890";

755 message.raw_data = "testdata";	763 message.raw_data = "testdata";

756 message.decrypted = true;	764 message.decrypted = true;

757 push_service()->SetMessageCallbackForTesting(run_loop.QuitClosure());	765 push_service()->SetMessageCallbackForTesting(run_loop.QuitClosure());

758 push_service()->OnMessage(app_identifier.app_id(), message);	766 push_service()->OnMessage(app_identifier.app_id(), message);

759 EXPECT_TRUE(push_message_listener.WaitUntilSatisfied());	767 EXPECT_TRUE(push_message_listener.WaitUntilSatisfied());

760 run_loop.Run(); // Wait until the message is handled by push service.	768 run_loop.Run(); // Wait until the message is handled by push service.

761 }	769 }

762	770

763 } // namespace extensions	771 } // namespace extensions

OLD	NEW