| Index: chrome/browser/download/save_page_browsertest.cc
|
| diff --git a/chrome/browser/download/save_page_browsertest.cc b/chrome/browser/download/save_page_browsertest.cc
|
| index f25a5a5624031f72633d5087d0dade55624292c1..74b8ff8bc944703c51309bd186b65c56aae3d4fc 100644
|
| --- a/chrome/browser/download/save_page_browsertest.cc
|
| +++ b/chrome/browser/download/save_page_browsertest.cc
|
| @@ -18,6 +18,7 @@
|
| #include "base/path_service.h"
|
| #include "base/run_loop.h"
|
| #include "base/strings/string_util.h"
|
| +#include "base/strings/stringprintf.h"
|
| #include "base/strings/utf_string_conversions.h"
|
| #include "base/test/test_file_util.h"
|
| #include "build/build_config.h"
|
| @@ -72,6 +73,7 @@ using content::WebContents;
|
| using net::URLRequestMockHTTPJob;
|
| using testing::ContainsRegex;
|
| using testing::HasSubstr;
|
| +using testing::Not;
|
|
|
| namespace {
|
|
|
| @@ -794,6 +796,49 @@ IN_PROC_BROWSER_TEST_F(SavePageBrowserTest, SaveDownloadableIFrame) {
|
| EXPECT_TRUE(base::PathExists(dir.AppendASCII("no-such-file.html")));
|
| }
|
|
|
| +// Test that file: URI won't be saved when referred to from an HTTP page.
|
| +// See also https://crbug.com/616429.
|
| +IN_PROC_BROWSER_TEST_F(SavePageBrowserTest, SaveUnauthorizedResource) {
|
| + GURL url = NavigateToMockURL("unauthorized-access");
|
| +
|
| + // Create a test file (that the web page should not have access to).
|
| + base::ScopedTempDir temp_dir2;
|
| + ASSERT_TRUE(temp_dir2.CreateUniqueTempDir());
|
| + base::FilePath file_path =
|
| + temp_dir2.path().Append(FILE_PATH_LITERAL("should-not-save.jpg"));
|
| + std::string file_content("fake-jpg");
|
| + ASSERT_LT(
|
| + 0, base::WriteFile(file_path, file_content.data(), file_content.size()));
|
| +
|
| + // Refer to the test file from the test page.
|
| + GURL file_url = net::FilePathToFileURL(file_path);
|
| + ASSERT_TRUE(ExecuteScript(
|
| + browser()->tab_strip_model()->GetWebContentsAt(0),
|
| + base::StringPrintf("document.getElementById('resource1').src = '%s';",
|
| + file_url.spec().data())));
|
| +
|
| + // Save the current page.
|
| + base::FilePath full_file_name, dir;
|
| + SaveCurrentTab(url, content::SAVE_PAGE_TYPE_AS_COMPLETE_HTML,
|
| + "unauthorized-access", 2, &dir, &full_file_name);
|
| +
|
| + // We should not save resource that the web page didn't have access to.
|
| + // (because executing a resource request can have side effects - for example
|
| + // after https://crbug.com/590714 a website from the internet should not be
|
| + // able to issue a resource request to an intranet website and trigger
|
| + // server-side actions in the internet; this test uses a file: URI as a
|
| + // canary for detecting whether a website can access restricted resources).
|
| + EXPECT_FALSE(base::PathExists(dir.AppendASCII("should-not-save.jpg")));
|
| +
|
| + // We should not keep references to the unauthorized resource in links of the
|
| + // saved html - otherwise the malicious website that embeds an unauthorized
|
| + // link can just wait until the user opens the saved HTML.
|
| + std::string main_contents;
|
| + ASSERT_TRUE(base::ReadFileToString(full_file_name, &main_contents));
|
| + EXPECT_THAT(main_contents, Not(HasSubstr(file_url.spec())));
|
| + EXPECT_THAT(main_contents, ContainsRegex("src=.*resource-failed-to-save"));
|
| +}
|
| +
|
| // Test suite that allows testing --site-per-process against cross-site frames.
|
| // See http://dev.chromium.org/developers/design-documents/site-isolation.
|
| class SavePageSitePerProcessBrowserTest : public SavePageBrowserTest {
|
|
|
Chromium Code Reviews
Issue 2075273002:
Resource requests from Save-Page-As should go through CanRequestURL checks. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master