Fix process transfers for blob urls of sites requiring dedicated processes.

content/browser/frame_host/frame_tree_browsertest.cc

Index: content/browser/frame_host/frame_tree_browsertest.cc
diff --git a/content/browser/frame_host/frame_tree_browsertest.cc b/content/browser/frame_host/frame_tree_browsertest.cc
index 0fd2ac04c4350042beffd2b6418f438e9e5a3ec0..83288b6e755258bfbd92af24903667f108062ce7 100644
--- a/content/browser/frame_host/frame_tree_browsertest.cc
+++ b/content/browser/frame_host/frame_tree_browsertest.cc
@@ -10,6 +10,7 @@
 #include "content/browser/web_contents/web_contents_impl.h"
 #include "content/public/browser/notification_service.h"
 #include "content/public/browser/notification_types.h"
+#include "content/public/common/content_switches.h"
 #include "content/public/common/url_constants.h"
 #include "content/public/test/browser_test_utils.h"
 #include "content/public/test/content_browser_test.h"
@@ -17,6 +18,7 @@
 #include "content/public/test/test_navigation_observer.h"
 #include "content/public/test/test_utils.h"
 #include "content/shell/browser/shell.h"
+#include "content/shell/common/shell_switches.h"
 #include "content/test/content_browser_test_utils_internal.h"
 #include "content/test/test_frame_navigation_observer.h"
 #include "net/dns/mock_host_resolver.h"
@@ -31,6 +33,17 @@
 
 namespace content {
 
+namespace {
+
+std::string GetOriginFromRenderer(FrameTreeNode* node) {
+  std::string origin;
+  EXPECT_TRUE(ExecuteScriptAndExtractString(
+      node, "window.domAutomationController.send(document.origin);", &origin));
+  return origin;
+}
+
+}  // namespace
+
 class FrameTreeBrowserTest : public ContentBrowserTest {
  public:
   FrameTreeBrowserTest() {}
@@ -41,15 +54,6 @@ class FrameTreeBrowserTest : public ContentBrowserTest {
     SetupCrossSiteRedirector(embedded_test_server());
   }
 
- protected:
-  std::string GetOriginFromRenderer(FrameTreeNode* node) {
-    std::string origin;
-    EXPECT_TRUE(ExecuteScriptAndExtractString(
-        node, "window.domAutomationController.send(document.origin);",
-        &origin));
-    return origin;
-  }
-
  private:
   DISALLOW_COPY_AND_ASSIGN(FrameTreeBrowserTest);
 };
@@ -691,4 +695,67 @@ IN_PROC_BROWSER_TEST_F(CrossProcessFrameTreeBrowserTest,
   EXPECT_EQ(root->child_at(1)->current_origin().Serialize(), "null");
 }
 
+// FrameTreeBrowserTest variant where we isolate http://*.is, Iceland's top
+// level domain. This is an analogue to --isolate-extensions that we use inside
+// of content_browsertests, where extensions don't exist. Iceland, like an
+// extension process, is a special place with magical powers; we want to protect

[Charlie Reis, 2016/09/09 21:18:23]

Ha!

[ncarter (slow), 2016/09/09 21:56:31]

Acknowledged.

+// it from outsiders.
+class IsolateIcelandFrameTreeBrowserTest : public ContentBrowserTest {

[Charlie Reis, 2016/09/09 21:18:23]

Is there a reason this doesn't derive from FrameTreeBrowserTest?  That would
avoid duplicating SetUpOnMainThread and the need to move GetOriginFromRenderer
outside the class.

[ncarter (slow), 2016/09/09 21:56:31]

CrossProcessFrameTreeBrowserTest didn't derive from FrameTreeBrowserTest, and I
was following that pattern.

+ public:
+  IsolateIcelandFrameTreeBrowserTest() {}
+
+  void SetUpCommandLine(base::CommandLine* command_line) override {
+    command_line->AppendSwitchASCII(switches::kIsolateSitesForTesting, "*.is");
+  }
+
+  void SetUpOnMainThread() override {
+    host_resolver()->AddRule("*", "127.0.0.1");
+    ASSERT_TRUE(embedded_test_server()->Start());
+    SetupCrossSiteRedirector(embedded_test_server());
+  }
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(IsolateIcelandFrameTreeBrowserTest);
+};
+
+// Regression test for https://crbug.com/644966
+IN_PROC_BROWSER_TEST_F(IsolateIcelandFrameTreeBrowserTest,
+                       ProcessSwitchForIsolatedBlob) {
+  // blink suppresses navigations to blob URLs of origins different from the
+  // frame initiating the navigation. We disable those checks for this test, to
+  // test what happens in a compromise scenario.
+  base::CommandLine::ForCurrentProcess()->AppendSwitch(
+      switches::kDisableWebSecurity);
+
+  // Set up an iframe.
+  WebContents* contents = shell()->web_contents();
+  FrameTreeNode* root =
+      static_cast<WebContentsImpl*>(contents)->GetFrameTree()->root();
+  GURL main_url(embedded_test_server()->GetURL(
+      "a.com", "/cross_site_iframe_factory.html?a(b)"));
+  EXPECT_TRUE(NavigateToURL(shell(), main_url));
+
+  // The navigation targets an invalid blob url; that's intentional. Secure
+  // behaviors are for this navigation to either be cancelled, or for it to

[Charlie Reis, 2016/09/09 21:18:23]

I'm a little unclear here.  Is there a mode where the navigation is canceled
(like --site-per-process or something similar), or are you just explaining that
it would be acceptable behavior if we later decided to go that way?  I imagine
the test would fail if the navigation were canceled, as written.

[ncarter (slow), 2016/09/09 21:56:31]

I removed the speculative language.

+  // commit an a 404 response in a process dedicated to http://b.is.
+  std::string result;
+  EXPECT_TRUE(ExecuteScriptAndExtractString(
+      root,
+      "var iframe_element = document.getElementsByTagName('iframe')[0];"
+      "iframe_element.onload = () => {"
+      "    domAutomationController.send('done');"
+      "};"
+      "iframe_element.src = 'blob:http://b.is:2932/';",
+      &result));
+  WaitForLoadStop(contents);
+
+  // Make sure we did a process transfer back to "b.is".
+  EXPECT_EQ(
+      " Site A ------------ proxies for B\n"
+      "   +--Site B ------- proxies for A\n"
+      "Where A = http://a.com/\n"
+      "      B = http://b.is/",
+      FrameTreeVisualizer().DepictFrameTree(root));
+}
+
 }  // namespace content