OLD | NEW |
---|---|
(Empty) | |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "base/command_line.h" | |
6 #include "content/public/common/content_switches.h" | |
7 #include "content/public/test/browser_test_utils.h" | |
8 #include "content/test/content_browser_test.h" | |
9 #include "content/test/content_browser_test_utils.h" | |
10 | |
11 namespace content { | |
12 | |
13 // These tests simulate exploited renderer processes, which can fetch arbitrary | |
14 // resources from other websites, not constrained by the Same Origin Policy. We | |
15 // are trying to verify that the renderer cannot fetch any cross-site document | |
16 // responses even when the Same Origin Policy is turned off inside the renderer. | |
17 class SiteIsolationPolicyBrowserTest : public ContentBrowserTest { | |
18 public: | |
19 SiteIsolationPolicyBrowserTest() {} | |
20 virtual ~SiteIsolationPolicyBrowserTest() {} | |
21 | |
22 virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE { | |
23 ASSERT_TRUE(test_server()->Start()); | |
24 net::SpawnedTestServer https_server( | |
25 net::SpawnedTestServer::TYPE_HTTPS, | |
26 net::SpawnedTestServer::kLocalhost, | |
27 base::FilePath(FILE_PATH_LITERAL("content/test/data"))); | |
28 ASSERT_TRUE(https_server.Start()); | |
29 | |
30 // Add a host resolver rule to map all outgoing requests to the test server. | |
31 // This allows us to use "real" hostnames in URLs, which we can use to | |
32 // create arbitrary SiteInstances. | |
33 command_line->AppendSwitchASCII( | |
34 switches::kHostResolverRules, | |
35 "MAP * " + test_server()->host_port_pair().ToString() + | |
36 ",EXCLUDE localhost"); | |
37 | |
38 // Since we assume exploited renderer process, it can bypass the same origin | |
39 // policy at will. Simulate that by passing the disable-web-security flag. | |
40 command_line->AppendSwitch(switches::kDisableWebSecurity); | |
41 | |
42 // We assume that we're using our cross-site document blocking logic which | |
43 // is turned on even when the Same Origin Policy is turned off. | |
44 command_line->AppendSwitch(switches::kBlockCrossSiteDocuments); | |
45 } | |
46 | |
47 private: | |
48 DISALLOW_COPY_AND_ASSIGN(SiteIsolationPolicyBrowserTest); | |
49 }; | |
50 | |
51 IN_PROC_BROWSER_TEST_F(SiteIsolationPolicyBrowserTest, | |
52 CrossSiteDocumentBlockingForMimeType) { | |
53 // Load a page that issues illegal cross-site document requests to bar.com. | |
54 // The page uses XHR to request HTML/XML/JSON documents from bar.com, and | |
55 // inspects if any of them were successfully received. The XHR requests will | |
56 // get a one character string ' ' for a blocked response. This test is only | |
57 // possible since we run the browser without the same origin policy. | |
58 GURL foo("http://foo.com/files/cross_site_document_request.html"); | |
59 | |
60 content::DOMMessageQueue msg_queue; | |
61 | |
62 NavigateToURL(shell(), foo); | |
63 | |
64 std::string status; | |
65 // The page will returns 1 from the DOMAutomationController if it succeeds, | |
Charlie Reis
2013/08/22 23:05:22
nit: return
| |
66 // otherwise it will return 0. | |
67 std::string expected_status("1"); | |
68 EXPECT_TRUE(msg_queue.WaitForMessage(&status)); | |
69 EXPECT_STREQ(status.c_str(), expected_status.c_str()); | |
70 } | |
71 | |
72 IN_PROC_BROWSER_TEST_F(SiteIsolationPolicyBrowserTest, | |
73 CrossSiteDocumentBlockingForDifferentTargets) { | |
74 // This webpage loads a cross-site HTML page in different targets such as | |
75 // <img>,<link>,<embed>, etc. Since the requested document is blocked, and one | |
76 // character string (' ') is returned instead, this tests that the renderer | |
77 // does not crash even when it receives a response body which is " ", whose | |
78 // length is different from what's described in "content-length" for such | |
79 // different targets. | |
80 GURL foo("http://foo.com/files/cross_site_document_request_target.html"); | |
81 NavigateToURL(shell(), foo); | |
82 } | |
83 | |
84 } | |
OLD | NEW |