Fixing renderer's access to a file from HTTP POST (after a xsite transfer).

content/browser/frame_host/render_frame_host_manager_browsertest.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <stddef.h>
 #include <stdint.h>
 
+#include <memory>
 #include <set>
 
 #include "base/command_line.h"
+#include "base/files/file_util.h"
+#include "base/files/scoped_temp_dir.h"
 #include "base/json/json_reader.h"
 #include "base/location.h"
 #include "base/memory/ref_counted.h"
 #include "base/path_service.h"
 #include "base/single_thread_task_runner.h"
 #include "base/strings/string_split.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "base/values.h"
 #include "build/build_config.h"
@@ skipping 2728 matching lines @@
       rfh_a->GetProcess(), RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
   TestNavigationObserver commit_observer(web_contents);
   shell()->LoadURL(embedded_test_server()->GetURL("b.com", "/title1.html"));
   commit_observer.Wait();
   exit_observer.Wait();
 
   // Ensure the entry's title hasn't changed after the ignored commit.
   EXPECT_EQ(title, entry->GetTitle());
 }
 
+// Test that verifies that a cross-process transfer retains ability to read
+// files encapsulated by HTTP POST body that is forwarded to the new renderer.
+// Invalid handling of this scenario has been suspected as the cause of at least
+// some of the renderer kills tracked in https://crbug.com/613260.
+IN_PROC_BROWSER_TEST_F(RenderFrameHostManagerTest, PostWithFileData) {
+  // Navigate to the page with form that posts via 307 redirection to
+  // |redirect_target_url| (cross-site from |form_url|).
+  StartEmbeddedServer();
+  GURL form_url(embedded_test_server()->GetURL(
+      "a.com", "/form_that_posts_cross_site.html"));
+  GURL redirect_target_url(embedded_test_server()->GetURL("x.com", "/echoall"));
+  EXPECT_TRUE(NavigateToURL(shell(), form_url));
+
+  // Prepare a file to upload.
+  base::ScopedTempDir temp_dir;
+  base::FilePath file_path;
+  std::string file_content("test-file-content");
+  ASSERT_TRUE(temp_dir.CreateUniqueTempDir());
+  ASSERT_TRUE(base::CreateTemporaryFileInDir(temp_dir.path(), &file_path));
+  LOG(ERROR) << "Temporary file = " << file_path.value();
+  ASSERT_LT(
+      0, base::WriteFile(file_path, file_content.data(), file_content.size()));
+
+  // Fill out the form to refer to the test file.
+  std::unique_ptr<FileChooserDelegate> delegate(
+      new FileChooserDelegate(file_path));
+  shell()->web_contents()->SetDelegate(delegate.get());
+  EXPECT_TRUE(ExecuteScript(shell()->web_contents(),
+                            "document.getElementById('file').click();"));
+  EXPECT_TRUE(delegate->file_chosen());
+
+  // Check if the original renderer process is able to read the file
+  // (it shouldn't - it doesn't need to read the file;  only the new
+  // renderer process reads the file [for XSSAuditor purposes]).
+  int old_process_id = shell()->web_contents()->GetRenderProcessHost()->GetID();
+  EXPECT_FALSE(ChildProcessSecurityPolicyImpl::GetInstance()->CanReadFile(
+      old_process_id, file_path));

[Łukasz Anforowicz, 2016/06/10 23:07:04]

This test expectation fails today - sounds like an opportunity to further
restrict capabilities granted to a renderer process, right?

+
+  // Submit the form.
+  TestNavigationObserver form_post_observer(shell()->web_contents(), 1);
+  EXPECT_TRUE(ExecuteScript(shell()->web_contents(),
+                            "document.getElementById('file-form').submit();"));
+  form_post_observer.Wait();
+
+  // Verify that we arrived at the expected, redirected location.
+  EXPECT_EQ(redirect_target_url,
+            shell()->web_contents()->GetLastCommittedURL());
+
+  // Check if the new renderer process is able to read the file.
+  int new_process_id = shell()->web_contents()->GetRenderProcessHost()->GetID();
+  EXPECT_TRUE(ChildProcessSecurityPolicyImpl::GetInstance()->CanReadFile(
+      new_process_id, file_path));
+  // Check that the old renderer cannot read the file.
+  EXPECT_FALSE(ChildProcessSecurityPolicyImpl::GetInstance()->CanReadFile(
+      old_process_id, file_path));

[Łukasz Anforowicz, 2016/06/10 23:07:04]

This test expectation also fails today - it seems that we should be able to
revoke this ability (i.e. via
ChildProcessSecurityPolicyImpl::RevokeAllPermissionsForFile)?  It seems that we
revoke file permissions for 1) downloads, 2) indexed db and 3)
FileSystemHostMsg_CreateSnapshotFile (whatever this is), but I am not sure if we
do it for files from HTTP POST body (so permissions accumulate?  this would also
be a mini memory leak?).

+
+  // Verify that POST body got preserved by 307 redirect.  This expectation
+  // comes from: https://tools.ietf.org/html/rfc7231#section-6.4.7
+  std::string actual_page_body;
+  EXPECT_TRUE(ExecuteScriptAndExtractString(
+      shell()->web_contents(),
+      "window.domAutomationController.send("
+      "document.getElementsByTagName('pre')[0].innerText);",
+      &actual_page_body));
+  EXPECT_THAT(actual_page_body, ::testing::HasSubstr(file_content));
+  EXPECT_THAT(actual_page_body,
+              ::testing::HasSubstr(file_path.BaseName().value()));
+  EXPECT_THAT(actual_page_body,
+              ::testing::HasSubstr("form-data; name=\"file\""));
+}
+
 }  // namespace content