Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1243)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/test/data/cross_site_document_request.html

Issue 22254005: UMA data collector for cross-site documents(XSD) (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@lkgr
Patch Set: blocking code gets simpler and testcase is moved to /content Created 7 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« content/public/common/content_switches.cc ('K') | « content/renderer/render_frame_impl.cc ('k') | content/test/data/cross_site_document_request_target.html » ('j') | content/test/data/cross_site_document_request_target.html » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/test/data/cross_site_document_request.html
diff --git a/content/test/data/cross_site_document_request.html b/content/test/data/cross_site_document_request.html
new file mode 100644
index 0000000000000000000000000000000000000000..17cceda238163ee9c3be56a044a2858cc5676503
--- /dev/null
+++ b/content/test/data/cross_site_document_request.html
@@ -0,0 +1,78 @@
+<html>
+<head>
+<script>
+/* This test shows that cross-site documents are blocked by SiteIsolationPolicy
Charlie Reis 2013/08/22 18:23:30 Style nit: We don't tend to use /* */ comments for
dsjang 2013/08/22 19:05:55 Done.
+even if the Same Origin Policy is turned on in the renderer. The same origin
Charlie Reis 2013/08/22 18:23:30 nit: turned off
dsjang 2013/08/22 19:05:55 Done.
+policy can be circumvented when the renderer is compromised, but we have
+SiteIsolationPolicy that blocks cross-site documents at the IPC layer. For now
+cross-site document blocking by SiteIsolationPolicy is done in the renderer, but
+our ultimate plan is to do that in the browser process. */
+
+var xhrStatus = -1;
+var pathPrefix = "http://bar.com/files/site_isolation/";
+
+/* We only block cross-site documents with a blacklisted mime type(text/html,
+text/xml, application/json), and correctly sniffed as the content type that they
Charlie Reis 2013/08/22 18:23:30 and -> that are
dsjang 2013/08/22 19:05:55 Done.
+claim to be. We also block text/plain documents when their body look like one of
Charlie Reis 2013/08/22 18:23:30 looks
dsjang 2013/08/22 19:05:55 Done.
+the blacklisted content types. */
+
+var blockedResourceUrls = ['valid.html', 'comment_valid.html', 'valid.xml',
+'valid.json', 'html.txt', 'xml.txt', 'json.txt'];
+
+var nonBlockedResourceUrls = ['js.html', 'comment_js.html', 'js.xml', 'js.json',
+'js.txt', 'img.html', 'img.xml', 'img.json', 'img.txt', 'comment_js.html'];
+
+var resourceUrls = blockedResourceUrls.concat(nonBlockedResourceUrls);
+
+var failed = false;
+function sendRequest(resourceUrl) {
+ var xhr = new XMLHttpRequest();
+ xhr.onreadystatechange = function() {
+ if (xhr.readyState == 4) {
+ var prefix = "";
+ if ((blockedResourceUrls.indexOf(resourceUrl) != -1 && xhr.responseText != " ") ||
Charlie Reis 2013/08/22 18:23:30 80 chars isn't required in HTML files, but it migh
dsjang 2013/08/22 19:05:55 Done.
+ (nonBlockedResourceUrls.indexOf(resourceUrl) != -1 && xhr.responseText == " ")) {
+ // Test failed. Either a resource that should have been blocked is not
+ // blocked, or a resource that should have not been blocked is blocked.
+ domAutomationController.setAutomationId(0);
+ //domAutomationController.send(0);
Charlie Reis 2013/08/22 18:23:30 Should this be uncommented?
dsjang 2013/08/22 19:05:55 Done.
+ if (blockedResourceUrls.indexOf(resourceUrl) != -1) {
+ prefix = "[ERROR:resource to be blocked wasn't blocked]";
+ } else {
+ prefix = "[ERROR:resource to be unblocked was blocked]";
+ }
+ }
+ document.getElementById("response_body").value +=
+ ("\n" + prefix + "response to " + resourceUrl + "(" + xhr.getResponseHeader("content-type") + ") " + (xhr.responseText == " " ? "blocked" : "not-blocked"));
Charlie Reis 2013/08/22 18:23:30 nit: Please wrap this line.
dsjang 2013/08/22 19:05:55 Done.
+ drive();
+ }
+ }
+ xhr.open('GET', pathPrefix + resourceUrl);
+ xhr.send();
+}
+
+var cnt = 0;
+function drive() {
+ if (cnt < resourceUrls.length) {
+ sendRequest(resourceUrls[cnt]);
+ ++cnt;
+ } else {
+ //all the test cases are successfully passed.
Charlie Reis 2013/08/22 18:23:30 nit: Capitalize All and put a space before it.
dsjang 2013/08/22 19:05:55 Done.
+ domAutomationController.setAutomationId(0);
+ domAutomationController.send(1);
+ }
+}
+
+window.onload = function() {
+ // The call to pushState with chrome-extension:// URL will succeed, since the
+ // test uses --disable-web-security.
+ history.pushState('', '',
+ 'http://bar.com/files/main.html');
Charlie Reis 2013/08/22 18:23:30 nit: This can all fit on one line.
dsjang 2013/08/22 19:05:55 Done.
+ drive();
+}
+</script>
+</head>
+<body>
+<textarea rows=20 cols=50 id='response_body'></textarea>
+</body>
+</html>
« content/public/common/content_switches.cc ('K') | « content/renderer/render_frame_impl.cc ('k') | content/test/data/cross_site_document_request_target.html » ('j') | content/test/data/cross_site_document_request_target.html » ('J')

Powered by Google App Engine
This is Rietveld 408576698