Move 'frame-src' CSP checks into FrameFetchContext.

content/browser/site_per_process_browsertest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/site_per_process_browsertest.h"
 
 #include <stddef.h>
 #include <stdint.h>
 
 #include <algorithm>
@@ skipping 58 matching lines @@
 #endif
 
 #if defined(OS_MACOSX)
 #include "ui/base/test/scoped_preferred_scroller_style_mac.h"
 #endif
 
 namespace content {
 
 namespace {
 
+const GURL kBlockedURL("data:,");
+
 // Helper function to send a postMessage and wait for a reply message.  The
 // |post_message_script| is executed on the |sender_ftn| frame, and the sender
 // frame is expected to post |reply_status| from the DOMAutomationController
 // when it receives a reply.
 void PostMessageAndWaitForReply(FrameTreeNode* sender_ftn,
                                 const std::string& post_message_script,
                                 const std::string& reply_status) {
   // Subtle: msg_queue needs to be declared before the ExecuteScript below, or
   // else it might miss the message of interest.  See https://crbug.com/518729.
   DOMMessageQueue msg_queue;
@@ skipping 6066 matching lines @@
   ASSERT_TRUE(https_server.Start());
   SetupCrossSiteRedirector(&https_server);
 
   GURL iframe_url(
       https_server.GetURL("/mixed-content/basic-active-in-iframe.html"));
   EXPECT_TRUE(NavigateToURL(shell(), iframe_url));
   FrameTreeNode* root = web_contents()->GetFrameTree()->root();
   ASSERT_EQ(1U, root->child_count());
   FrameTreeNode* mixed_child = root->child_at(0)->child_at(0);
   ASSERT_TRUE(mixed_child);
-  // The child iframe attempted to create a mixed iframe; this should
-  // have been blocked, so the mixed iframe should not have committed a
-  // load.
-  EXPECT_FALSE(mixed_child->has_committed_real_load());
+  // The child iframe attempted to create a mixed iframe; this will commit
+  // a load to 'data:,' (so that it ends up in a unique origin).
+  EXPECT_TRUE(mixed_child->has_committed_real_load());
+  EXPECT_EQ(kBlockedURL, mixed_child->current_url());
 }
 
 // Test that subresources with certificate errors that are redundant
 // with the main page do not get reported to the browser. That is, if
 // https://redundant.test frames https://a.com which frames
 // https://redundant.test which loads an image with certificate errors,
 // the browser doesn't care and doesn't need to know about the image's
 // certificate errors because they are redundant with the main page
 // load.
 IN_PROC_BROWSER_TEST_F(SitePerProcessIgnoreCertErrorsBrowserTest,
@@ skipping 193 matching lines @@
 
   // The blocked frame should still fire a load event in its parent's process.
   EXPECT_EQ(expected_title, title_watcher.WaitAndGetTitle());
 
   // Check that the current RenderFrameHost has stopped loading.
   if (root->child_at(0)->current_frame_host()->is_loading()) {
     ADD_FAILURE() << "Blocked RenderFrameHost shouldn't be loading anything";
     load_observer.Wait();
   }
 
-  // The blocked frame should stay at the old location.
-  EXPECT_EQ(old_subframe_url, root->child_at(0)->current_url());
+  // The blocked frame should commit to |kBlockedURL|
+  EXPECT_EQ(kBlockedURL, root->child_at(0)->current_url());
 
-  // The blocked frame should keep the old title.
   std::string frame_title;
   EXPECT_TRUE(ExecuteScriptAndExtractString(
       root->child_at(0)->current_frame_host(),
       "domAutomationController.send(document.title)", &frame_title));
-  EXPECT_EQ("Title Of Awesomeness", frame_title);
+  EXPECT_EQ("", frame_title);
 
   // Navigate to a URL without CSP.
   EXPECT_TRUE(NavigateToURL(
       shell(), embedded_test_server()->GetURL("a.com", "/title1.html")));
 
   // Verify that the frame's CSP got correctly reset to an empty set.
   EXPECT_EQ(0u,
             root->current_replication_state().accumulated_csp_headers.size());
 }
 
@@ skipping 48 matching lines @@
 
   // The blocked frame should still fire a load event in its parent's process.
   EXPECT_EQ(expected_title, title_watcher.WaitAndGetTitle());
 
   // Check that the current RenderFrameHost has stopped loading.
   if (root->child_at(0)->current_frame_host()->is_loading()) {
     ADD_FAILURE() << "Blocked RenderFrameHost shouldn't be loading anything";
     load_observer2.Wait();
   }
 
-  // The blocked frame should stay at the old location.
-  EXPECT_EQ(old_subframe_url, root->child_at(0)->current_url());
+  // The blocked frame should commit to |kBlockedURL|
+  EXPECT_EQ(kBlockedURL, root->child_at(0)->current_url());
 
-  // The blocked frame should keep the old title.
   std::string frame_title;
   EXPECT_TRUE(ExecuteScriptAndExtractString(
       root->child_at(0)->current_frame_host(),
       "domAutomationController.send(document.title)", &frame_title));
-  EXPECT_EQ("Title Of Awesomeness", frame_title);
+  EXPECT_EQ("", frame_title);
 }
 
 // Test that a cross-origin frame's navigation can be blocked by CSP frame-src.
 // In this version of a test, CSP is inherited by srcdoc iframe from a parent
 // that declared CSP via HTTP headers.  Cross-origin frame navigating to a
 // blocked location is a child of the srcdoc iframe.
 IN_PROC_BROWSER_TEST_F(SitePerProcessBrowserTest,
                        CrossSiteIframeBlockedByCSPInheritedBySrcDocParent) {
   GURL main_url(
       embedded_test_server()->GetURL("a.com", "/frame-src-self-and-b.html"));
@@ skipping 42 matching lines @@
 
   // The blocked frame should still fire a load event in its parent's process.
   EXPECT_EQ(expected_title, title_watcher.WaitAndGetTitle());
 
   // Check that the current RenderFrameHost has stopped loading.
   if (navigating_frame->current_frame_host()->is_loading()) {
     ADD_FAILURE() << "Blocked RenderFrameHost shouldn't be loading anything";
     load_observer2.Wait();
   }
 
-  // The blocked frame should stay at the old location.
-  EXPECT_EQ(old_subframe_url, navigating_frame->current_url());
+  // The blocked frame should commit to |kBlockedURL|

[Charlie Reis, 2016/06/06 20:43:07]

nit: Keep the period.  (Same above.)

+  EXPECT_EQ(kBlockedURL, navigating_frame->current_url());
 
-  // The blocked frame should keep the old title.
   std::string frame_title;
   EXPECT_TRUE(ExecuteScriptAndExtractString(
       navigating_frame->current_frame_host(),
       "domAutomationController.send(document.title)", &frame_title));
-  EXPECT_EQ("Title Of Awesomeness", frame_title);
+  EXPECT_EQ("", frame_title);
 
   // Navigate the subframe to a URL without CSP.
   NavigateFrameToURL(srcdoc_frame,
                      embedded_test_server()->GetURL("a.com", "/title1.html"));
 
   // Verify that the frame's CSP got correctly reset to an empty set.
   EXPECT_EQ(
       0u,
       srcdoc_frame->current_replication_state().accumulated_csp_headers.size());
 }
@@ skipping 660 matching lines @@
   EXPECT_TRUE(is_fullscreen_allowed(root->child_at(0)));
   EXPECT_TRUE(is_fullscreen_allowed(root->child_at(0)->child_at(0)));
 
   // Cross-site navigation should preserve the fullscreen flags.
   NavigateFrameToURL(root->child_at(0)->child_at(0),
                      embedded_test_server()->GetURL("d.com", "/title1.html"));
   EXPECT_TRUE(is_fullscreen_allowed(root->child_at(0)->child_at(0)));
 }
 
 }  // namespace content