Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(297)

Unified Diff: third_party/WebKit/Source/web/tests/WebFrameTest.cpp

Issue 2009453002: service worker: Don't control a subframe of an insecure context (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: refactor errorMessage Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « third_party/WebKit/Source/web/WebFrame.cpp ('k') | third_party/WebKit/public/web/WebFrame.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/web/tests/WebFrameTest.cpp
diff --git a/third_party/WebKit/Source/web/tests/WebFrameTest.cpp b/third_party/WebKit/Source/web/tests/WebFrameTest.cpp
index b2d4ad274c57325a801197399a9ac6e4980b9bcb..42bad3f9cf90c9f4b80effcc02a12ff65fcbd6a3 100644
--- a/third_party/WebKit/Source/web/tests/WebFrameTest.cpp
+++ b/third_party/WebKit/Source/web/tests/WebFrameTest.cpp
@@ -8690,4 +8690,62 @@ TEST(WebFrameGlobalReuseTest, ReuseForMainFrameIfEnabled)
EXPECT_EQ("world", toCoreString(result->ToString(mainFrame->mainWorldScriptContext()).ToLocalChecked()));
}
+static void setSecurityOrigin(WebFrame* frame, PassRefPtr<SecurityOrigin> securityOrigin)
+{
+ Document* document = frame->document();
+ document->setSecurityOrigin(securityOrigin);
+}
+
+TEST_F(WebFrameTest, CanHaveSecureChild)
+{
+ FrameTestHelpers::WebViewHelper helper;
+ FrameTestHelpers::TestWebFrameClient client;
+ helper.initialize(true, &client, nullptr, nullptr);
+ WebFrame* mainFrame = helper.webView()->mainFrame();
+ RefPtr<SecurityOrigin> secureOrigin = SecurityOrigin::createFromString("https://example.com");
+ RefPtr<SecurityOrigin> insecureOrigin = SecurityOrigin::createFromString("http://example.com");
+
+ // Secure frame.
+ setSecurityOrigin(mainFrame, secureOrigin);
+ ASSERT_TRUE(mainFrame->canHaveSecureChild());
+
+ // Insecure frame.
+ setSecurityOrigin(mainFrame, insecureOrigin);
+ ASSERT_FALSE(mainFrame->canHaveSecureChild());
+
+ // Create a chain of frames.
+ FrameTestHelpers::loadFrame(mainFrame, "data:text/html,<iframe></iframe>");
+ WebFrame* childFrame = mainFrame->firstChild();
+ FrameTestHelpers::loadFrame(childFrame, "data:text/html,<iframe></iframe>");
+ WebFrame* grandchildFrame = childFrame->firstChild();
+
+ // Secure -> insecure -> secure frame.
+ setSecurityOrigin(mainFrame, secureOrigin);
+ setSecurityOrigin(childFrame, insecureOrigin);
+ setSecurityOrigin(grandchildFrame, secureOrigin);
+ ASSERT_TRUE(mainFrame->canHaveSecureChild());
+ ASSERT_FALSE(childFrame->canHaveSecureChild());
+ ASSERT_FALSE(grandchildFrame->canHaveSecureChild());
+
+ // A document in an insecure context can be considered secure if it has a
+ // scheme that bypasses the secure context check. But the exception doesn't
+ // apply to children of that document's frame.
+ SchemeRegistry::registerURLSchemeBypassingSecureContextCheck("very-special-scheme");
+ SchemeRegistry::registerURLSchemeAsSecure("very-special-scheme");
+ RefPtr<SecurityOrigin> specialOrigin = SecurityOrigin::createFromString("very-special-scheme://example.com");
+
+ setSecurityOrigin(mainFrame, insecureOrigin);
+ setSecurityOrigin(childFrame, specialOrigin);
+ setSecurityOrigin(grandchildFrame, secureOrigin);
+ ASSERT_FALSE(mainFrame->canHaveSecureChild());
+ ASSERT_FALSE(childFrame->canHaveSecureChild());
+ ASSERT_FALSE(grandchildFrame->canHaveSecureChild());
+ Document* mainDocument = mainFrame->document();
+ Document* childDocument = childFrame->document();
+ Document* grandchildDocument = grandchildFrame->document();
+ ASSERT_FALSE(mainDocument->isSecureContext());
+ ASSERT_TRUE(childDocument->isSecureContext());
+ ASSERT_FALSE(grandchildDocument->isSecureContext());
+}
+
} // namespace blink
« no previous file with comments | « third_party/WebKit/Source/web/WebFrame.cpp ('k') | third_party/WebKit/public/web/WebFrame.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698