Updated suborigin serialization to latest spec proposal

content/browser/child_process_security_policy_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <set>
 #include <string>
 
 #include "base/files/file_path.h"
 #include "content/browser/child_process_security_policy_impl.h"
 #include "content/public/common/url_constants.h"
@@ skipping 123 matching lines @@
   EXPECT_FALSE(p->IsWebSafeScheme(kChromeUIScheme));
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, IsPseudoSchemeTest) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   EXPECT_TRUE(p->IsPseudoScheme(url::kAboutScheme));
   EXPECT_TRUE(p->IsPseudoScheme(url::kJavaScriptScheme));
   EXPECT_TRUE(p->IsPseudoScheme(kViewSourceScheme));
+  EXPECT_TRUE(p->IsPseudoScheme(kHttpSuboriginScheme));
+  EXPECT_TRUE(p->IsPseudoScheme(kHttpsSuboriginScheme));
 
   EXPECT_FALSE(p->IsPseudoScheme("registered-pseudo-scheme"));
   p->RegisterPseudoScheme("registered-pseudo-scheme");
   EXPECT_TRUE(p->IsPseudoScheme("registered-pseudo-scheme"));
 
   EXPECT_FALSE(p->IsPseudoScheme(kChromeUIScheme));
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, StandardSchemesTest) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
 
   // Safe to request or commit.
   EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("http://www.google.com/")));
   EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("https://www.paypal.com/")));
   EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("ftp://ftp.gnu.org/")));
   EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("data:text/html,<b>Hi</b>")));
   EXPECT_TRUE(p->CanRequestURL(
       kRendererID, GURL("filesystem:http://localhost/temporary/a.gif")));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("http://www.google.com/")));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("https://www.paypal.com/")));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("ftp://ftp.gnu.org/")));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("data:text/html,<b>Hi</b>")));
   EXPECT_TRUE(p->CanCommitURL(
       kRendererID, GURL("filesystem:http://localhost/temporary/a.gif")));
+  EXPECT_TRUE(
+      p->CanSetAsOriginHeader(kRendererID, GURL("http://www.google.com/")));
+  EXPECT_TRUE(
+      p->CanSetAsOriginHeader(kRendererID, GURL("https://www.paypal.com/")));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, GURL("ftp://ftp.gnu.org/")));
+  EXPECT_TRUE(
+      p->CanSetAsOriginHeader(kRendererID, GURL("data:text/html,<b>Hi</b>")));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(
+      kRendererID, GURL("filesystem:http://localhost/temporary/a.gif")));
 
-  // Dangerous to request or commit.
+  // Dangerous to request, commit, or set as origin header.
   EXPECT_FALSE(p->CanRequestURL(kRendererID,
                                 GURL("file:///etc/passwd")));
   EXPECT_FALSE(p->CanRequestURL(kRendererID,
                                 GURL("chrome://foo/bar")));
   EXPECT_FALSE(p->CanRequestURL(kRendererID,
                                 GURL("view-source:http://www.google.com/")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID,
                                 GURL("file:///etc/passwd")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID,
                                 GURL("chrome://foo/bar")));
   EXPECT_FALSE(
       p->CanCommitURL(kRendererID, GURL("view-source:http://www.google.com/")));
+  EXPECT_FALSE(
+      p->CanSetAsOriginHeader(kRendererID, GURL("file:///etc/passwd")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("chrome://foo/bar")));

[nasko, 2016/09/23 21:59:48]

Hmm, do we really want to leak chrome:// origins to the web?

[jww, 2016/09/23 22:52:27]

Well, we already are :-) chrome:// headers already return true for CanCommitURL,
so the header can be sent for them. I think it's certainly worth considering
locking it down, but I fear that they're might be unexpected consequences, so
I'd rather not tie that chance to this CL.

What do you think?

[nasko, 2016/09/23 23:29:42]

Definitely the job for another CL. We shouldn't be putting different fixes in
the same CL.
Can you file a bug, if one doesn't exist, so we can follow up on this?

+  EXPECT_FALSE(p->CanSetAsOriginHeader(
+      kRendererID, GURL("view-source:http://www.google.com/")));
 
   p->Remove(kRendererID);
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, AboutTest) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
 
   EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("about:blank")));
   EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("about:BlAnK")));
   EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("aBouT:BlAnK")));
   EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("aBouT:blank")));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("about:blank")));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("about:BlAnK")));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("aBouT:BlAnK")));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("aBouT:blank")));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, GURL("about:blank")));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, GURL("about:BlAnK")));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, GURL("aBouT:BlAnK")));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, GURL("aBouT:blank")));
 
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:crash")));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:cache")));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:hang")));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:version")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:crash")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:cache")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:hang")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:version")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("about:crash")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("about:cache")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("about:hang")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("about:version")));
 
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("aBoUt:version")));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:CrASh")));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("abOuT:cAChe")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("aBoUt:version")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:CrASh")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("abOuT:cAChe")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("aBoUt:version")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("aBoUt:version")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("about:CrASh")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("abOuT:cAChe")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("aBoUt:version")));
 
   // Requests for about: pages should be denied.
   p->GrantRequestURL(kRendererID, GURL("about:crash"));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:crash")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:crash")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("about:crash")));
 
   // These requests for chrome:// pages should be granted.
   GURL chrome_url("chrome://foo");
   p->GrantRequestURL(kRendererID, chrome_url);
   EXPECT_TRUE(p->CanRequestURL(kRendererID, chrome_url));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, chrome_url));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, chrome_url));
 
   p->Remove(kRendererID);
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, JavaScriptTest) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
 
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("javascript:alert('xss')")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("javascript:alert('xss')")));
+  EXPECT_FALSE(
+      p->CanSetAsOriginHeader(kRendererID, GURL("javascript:alert('xss')")));
   p->GrantRequestURL(kRendererID, GURL("javascript:alert('xss')"));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("javascript:alert('xss')")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("javascript:alert('xss')")));
+  EXPECT_FALSE(
+      p->CanSetAsOriginHeader(kRendererID, GURL("javascript:alert('xss')")));
 
   p->Remove(kRendererID);
 }
+
+TEST_F(ChildProcessSecurityPolicyTest, SuboriginTest) {
+  ChildProcessSecurityPolicyImpl* p =
+      ChildProcessSecurityPolicyImpl::GetInstance();
+
+  p->Add(kRendererID);
+
+  // Suborigin URLs are not requestable or commitable.

[nasko, 2016/09/23 21:59:48]

nit: committable?

[jww, 2016/09/23 22:52:27]

Done.

+  EXPECT_FALSE(
+      p->CanRequestURL(kRendererID, GURL("http-so://foobar.example.com")));
+  EXPECT_FALSE(
+      p->CanRequestURL(kRendererID, GURL("https-so://foobar.example.com")));
+  EXPECT_FALSE(
+      p->CanCommitURL(kRendererID, GURL("http-so://foobar.example.com")));
+  EXPECT_FALSE(
+      p->CanCommitURL(kRendererID, GURL("https-so://foobar.example.com")));
+
+  // Suborigin URLs are valid origin headers.
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID,
+                                      GURL("http-so://foobar.example.com")));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID,
+                                      GURL("https-so://foobar.example.com")));
+

[nasko, 2016/09/23 21:59:48]

Let's add coverage to ensure that even after calling GrantRequestURL with a
suborigin we still cannot request/commit it.

[jww, 2016/09/23 22:52:27]

Done.

+  p->Remove(kRendererID);
+}
 
 TEST_F(ChildProcessSecurityPolicyTest, RegisterWebSafeSchemeTest) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
 
   // Currently, "asdf" is destined for ShellExecute, so it is allowed to be
   // requested but not committed.
   EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("asdf:rockers")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("asdf:rockers")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("asdf:rockers")));
 
   // Once we register "asdf", we default to deny.
   RegisterTestScheme("asdf");
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("asdf:rockers")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("asdf:rockers")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("asdf:rockers")));
 
   // We can allow new schemes by adding them to the whitelist.
   p->RegisterWebSafeScheme("asdf");
   EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("asdf:rockers")));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("asdf:rockers")));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, GURL("asdf:rockers")));
 
   // Cleanup.
   p->Remove(kRendererID);
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, CanServiceCommandsTest) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
 
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd")));
+  EXPECT_FALSE(
+      p->CanSetAsOriginHeader(kRendererID, GURL("file:///etc/passwd")));
   p->GrantRequestURL(kRendererID, GURL("file:///etc/passwd"));
   EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd")));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, GURL("file:///etc/passwd")));
 
   // We should forget our state if we repeat a renderer id.
   p->Remove(kRendererID);
   p->Add(kRendererID);
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd")));
+  EXPECT_FALSE(
+      p->CanSetAsOriginHeader(kRendererID, GURL("file:///etc/passwd")));
   p->Remove(kRendererID);
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, ViewSource) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
 
   // Child processes cannot request view source URLs.
   EXPECT_FALSE(p->CanRequestURL(kRendererID,
                                 GURL("view-source:http://www.google.com/")));
   EXPECT_FALSE(p->CanRequestURL(kRendererID,
                                 GURL("view-source:file:///etc/passwd")));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
   EXPECT_FALSE(p->CanRequestURL(
       kRendererID, GURL("view-source:view-source:http://www.google.com/")));
 
   // View source URLs don't actually commit; the renderer is put into view
   // source mode, and the inner URL commits.
   EXPECT_FALSE(p->CanCommitURL(kRendererID,
                                GURL("view-source:http://www.google.com/")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID,
                                GURL("view-source:file:///etc/passwd")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd")));
   EXPECT_FALSE(p->CanCommitURL(
       kRendererID, GURL("view-source:view-source:http://www.google.com/")));
 
+  // View source URLs should not be setable as origin headers
+  EXPECT_FALSE(p->CanSetAsOriginHeader(
+      kRendererID, GURL("view-source:http://www.google.com/")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID,
+                                       GURL("view-source:file:///etc/passwd")));
+  EXPECT_FALSE(
+      p->CanSetAsOriginHeader(kRendererID, GURL("file:///etc/passwd")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(
+      kRendererID, GURL("view-source:view-source:http://www.google.com/")));
+
   p->GrantRequestURL(kRendererID, GURL("view-source:file:///etc/passwd"));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd")));
   EXPECT_FALSE(
+      p->CanSetAsOriginHeader(kRendererID, GURL("file:///etc/passwd")));
+  EXPECT_FALSE(
       p->CanRequestURL(kRendererID, GURL("view-source:file:///etc/passwd")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID,
                                GURL("view-source:file:///etc/passwd")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID,
+                                       GURL("view-source:file:///etc/passwd")));
   p->Remove(kRendererID);
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, SpecificFile) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
 
   GURL icon_url("file:///tmp/foo.png");
   GURL sensitive_url("file:///etc/passwd");
   EXPECT_FALSE(p->CanRequestURL(kRendererID, icon_url));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, sensitive_url));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, icon_url));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, sensitive_url));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, icon_url));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, sensitive_url));
 
   p->GrantRequestSpecificFileURL(kRendererID, icon_url);
   EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, sensitive_url));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, icon_url));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, sensitive_url));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, icon_url));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, sensitive_url));
 
   p->GrantRequestURL(kRendererID, icon_url);
   EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url));
   EXPECT_TRUE(p->CanRequestURL(kRendererID, sensitive_url));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, icon_url));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, sensitive_url));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, icon_url));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, sensitive_url));
 
   p->Remove(kRendererID);
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, FileSystemGrantsTest) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
   std::string read_id =
@@ skipping 340 matching lines @@
   GURL url_foo1("chrome://foo/resource1");
   GURL url_foo2("chrome://foo/resource2");
   GURL url_bar("chrome://bar/resource3");
 
   EXPECT_FALSE(p->CanRequestURL(kRendererID, url_foo1));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, url_foo2));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, url_bar));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, url_foo1));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, url_foo2));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, url_bar));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, url_foo1));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, url_foo2));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, url_bar));
 
   p->GrantOrigin(kRendererID, url::Origin(url_foo1));
 
   EXPECT_TRUE(p->CanRequestURL(kRendererID, url_foo1));
   EXPECT_TRUE(p->CanRequestURL(kRendererID, url_foo2));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, url_bar));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, url_foo1));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, url_foo2));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, url_bar));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, url_foo1));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, url_foo2));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, url_bar));
 
   p->GrantScheme(kRendererID, kChromeUIScheme);
 
   EXPECT_TRUE(p->CanRequestURL(kRendererID, url_foo1));
   EXPECT_TRUE(p->CanRequestURL(kRendererID, url_foo2));
   EXPECT_TRUE(p->CanRequestURL(kRendererID, url_bar));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, url_foo1));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, url_foo2));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, url_bar));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, url_foo1));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, url_foo2));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, url_bar));
 
   p->Remove(kRendererID);
 }
 
 }  // namespace content