Updated suborigin serialization to latest spec proposal

content/browser/child_process_security_policy_unittest.cc

Index: content/browser/child_process_security_policy_unittest.cc
diff --git a/content/browser/child_process_security_policy_unittest.cc b/content/browser/child_process_security_policy_unittest.cc
index 24aa45bc21f050f00bea4642e7f5fe50674589a6..99fa496bd118255f4d15c48794b70f8b6705b9bd 100644
--- a/content/browser/child_process_security_policy_unittest.cc
+++ b/content/browser/child_process_security_policy_unittest.cc
@@ -141,6 +141,8 @@ TEST_F(ChildProcessSecurityPolicyTest, IsPseudoSchemeTest) {
   EXPECT_TRUE(p->IsPseudoScheme(url::kAboutScheme));
   EXPECT_TRUE(p->IsPseudoScheme(url::kJavaScriptScheme));
   EXPECT_TRUE(p->IsPseudoScheme(kViewSourceScheme));
+  EXPECT_TRUE(p->IsPseudoScheme(kHttpSuboriginScheme));
+  EXPECT_TRUE(p->IsPseudoScheme(kHttpsSuboriginScheme));
 
   EXPECT_FALSE(p->IsPseudoScheme("registered-pseudo-scheme"));
   p->RegisterPseudoScheme("registered-pseudo-scheme");
@@ -168,8 +170,17 @@ TEST_F(ChildProcessSecurityPolicyTest, StandardSchemesTest) {
   EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("data:text/html,<b>Hi</b>")));
   EXPECT_TRUE(p->CanCommitURL(
       kRendererID, GURL("filesystem:http://localhost/temporary/a.gif")));
+  EXPECT_TRUE(
+      p->CanSetAsOriginHeader(kRendererID, GURL("http://www.google.com/")));
+  EXPECT_TRUE(
+      p->CanSetAsOriginHeader(kRendererID, GURL("https://www.paypal.com/")));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, GURL("ftp://ftp.gnu.org/")));
+  EXPECT_TRUE(
+      p->CanSetAsOriginHeader(kRendererID, GURL("data:text/html,<b>Hi</b>")));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(
+      kRendererID, GURL("filesystem:http://localhost/temporary/a.gif")));
 
-  // Dangerous to request or commit.
+  // Dangerous to request, commit, or set as origin header.
   EXPECT_FALSE(p->CanRequestURL(kRendererID,
                                 GURL("file:///etc/passwd")));
   EXPECT_FALSE(p->CanRequestURL(kRendererID,
@@ -182,6 +193,11 @@ TEST_F(ChildProcessSecurityPolicyTest, StandardSchemesTest) {
                                 GURL("chrome://foo/bar")));
   EXPECT_FALSE(
       p->CanCommitURL(kRendererID, GURL("view-source:http://www.google.com/")));
+  EXPECT_FALSE(
+      p->CanSetAsOriginHeader(kRendererID, GURL("file:///etc/passwd")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("chrome://foo/bar")));

[nasko, 2016/09/23 21:59:48]

Hmm, do we really want to leak chrome:// origins to the web?

[jww, 2016/09/23 22:52:27]

Well, we already are :-) chrome:// headers already return true for CanCommitURL,
so the header can be sent for them. I think it's certainly worth considering
locking it down, but I fear that they're might be unexpected consequences, so
I'd rather not tie that chance to this CL.

What do you think?

[nasko, 2016/09/23 23:29:42]

Definitely the job for another CL. We shouldn't be putting different fixes in
the same CL.
Can you file a bug, if one doesn't exist, so we can follow up on this?

+  EXPECT_FALSE(p->CanSetAsOriginHeader(
+      kRendererID, GURL("view-source:http://www.google.com/")));
 
   p->Remove(kRendererID);
 }
@@ -200,6 +216,10 @@ TEST_F(ChildProcessSecurityPolicyTest, AboutTest) {
   EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("about:BlAnK")));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("aBouT:BlAnK")));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("aBouT:blank")));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, GURL("about:blank")));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, GURL("about:BlAnK")));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, GURL("aBouT:BlAnK")));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, GURL("aBouT:blank")));
 
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:crash")));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:cache")));
@@ -209,6 +229,10 @@ TEST_F(ChildProcessSecurityPolicyTest, AboutTest) {
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:cache")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:hang")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:version")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("about:crash")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("about:cache")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("about:hang")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("about:version")));
 
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("aBoUt:version")));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:CrASh")));
@@ -217,17 +241,23 @@ TEST_F(ChildProcessSecurityPolicyTest, AboutTest) {
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:CrASh")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("abOuT:cAChe")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("aBoUt:version")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("aBoUt:version")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("about:CrASh")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("abOuT:cAChe")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("aBoUt:version")));
 
   // Requests for about: pages should be denied.
   p->GrantRequestURL(kRendererID, GURL("about:crash"));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:crash")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:crash")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("about:crash")));
 
   // These requests for chrome:// pages should be granted.
   GURL chrome_url("chrome://foo");
   p->GrantRequestURL(kRendererID, chrome_url);
   EXPECT_TRUE(p->CanRequestURL(kRendererID, chrome_url));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, chrome_url));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, chrome_url));
 
   p->Remove(kRendererID);
 }
@@ -240,9 +270,38 @@ TEST_F(ChildProcessSecurityPolicyTest, JavaScriptTest) {
 
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("javascript:alert('xss')")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("javascript:alert('xss')")));
+  EXPECT_FALSE(
+      p->CanSetAsOriginHeader(kRendererID, GURL("javascript:alert('xss')")));
   p->GrantRequestURL(kRendererID, GURL("javascript:alert('xss')"));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("javascript:alert('xss')")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("javascript:alert('xss')")));
+  EXPECT_FALSE(
+      p->CanSetAsOriginHeader(kRendererID, GURL("javascript:alert('xss')")));
+
+  p->Remove(kRendererID);
+}
+
+TEST_F(ChildProcessSecurityPolicyTest, SuboriginTest) {
+  ChildProcessSecurityPolicyImpl* p =
+      ChildProcessSecurityPolicyImpl::GetInstance();
+
+  p->Add(kRendererID);
+
+  // Suborigin URLs are not requestable or commitable.

[nasko, 2016/09/23 21:59:48]

nit: committable?

[jww, 2016/09/23 22:52:27]

Done.

+  EXPECT_FALSE(
+      p->CanRequestURL(kRendererID, GURL("http-so://foobar.example.com")));
+  EXPECT_FALSE(
+      p->CanRequestURL(kRendererID, GURL("https-so://foobar.example.com")));
+  EXPECT_FALSE(
+      p->CanCommitURL(kRendererID, GURL("http-so://foobar.example.com")));
+  EXPECT_FALSE(
+      p->CanCommitURL(kRendererID, GURL("https-so://foobar.example.com")));
+
+  // Suborigin URLs are valid origin headers.
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID,
+                                      GURL("http-so://foobar.example.com")));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID,
+                                      GURL("https-so://foobar.example.com")));
 

[nasko, 2016/09/23 21:59:48]

Let's add coverage to ensure that even after calling GrantRequestURL with a
suborigin we still cannot request/commit it.

[jww, 2016/09/23 22:52:27]

Done.

   p->Remove(kRendererID);
 }
@@ -257,16 +316,19 @@ TEST_F(ChildProcessSecurityPolicyTest, RegisterWebSafeSchemeTest) {
   // requested but not committed.
   EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("asdf:rockers")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("asdf:rockers")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("asdf:rockers")));
 
   // Once we register "asdf", we default to deny.
   RegisterTestScheme("asdf");
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("asdf:rockers")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("asdf:rockers")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("asdf:rockers")));
 
   // We can allow new schemes by adding them to the whitelist.
   p->RegisterWebSafeScheme("asdf");
   EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("asdf:rockers")));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("asdf:rockers")));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, GURL("asdf:rockers")));
 
   // Cleanup.
   p->Remove(kRendererID);
@@ -280,15 +342,20 @@ TEST_F(ChildProcessSecurityPolicyTest, CanServiceCommandsTest) {
 
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd")));
+  EXPECT_FALSE(
+      p->CanSetAsOriginHeader(kRendererID, GURL("file:///etc/passwd")));
   p->GrantRequestURL(kRendererID, GURL("file:///etc/passwd"));
   EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd")));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, GURL("file:///etc/passwd")));
 
   // We should forget our state if we repeat a renderer id.
   p->Remove(kRendererID);
   p->Add(kRendererID);
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd")));
+  EXPECT_FALSE(
+      p->CanSetAsOriginHeader(kRendererID, GURL("file:///etc/passwd")));
   p->Remove(kRendererID);
 }
 
@@ -317,13 +384,27 @@ TEST_F(ChildProcessSecurityPolicyTest, ViewSource) {
   EXPECT_FALSE(p->CanCommitURL(
       kRendererID, GURL("view-source:view-source:http://www.google.com/")));
 
+  // View source URLs should not be setable as origin headers
+  EXPECT_FALSE(p->CanSetAsOriginHeader(
+      kRendererID, GURL("view-source:http://www.google.com/")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID,
+                                       GURL("view-source:file:///etc/passwd")));
+  EXPECT_FALSE(
+      p->CanSetAsOriginHeader(kRendererID, GURL("file:///etc/passwd")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(
+      kRendererID, GURL("view-source:view-source:http://www.google.com/")));
+
   p->GrantRequestURL(kRendererID, GURL("view-source:file:///etc/passwd"));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd")));
   EXPECT_FALSE(
+      p->CanSetAsOriginHeader(kRendererID, GURL("file:///etc/passwd")));
+  EXPECT_FALSE(
       p->CanRequestURL(kRendererID, GURL("view-source:file:///etc/passwd")));
   EXPECT_FALSE(p->CanCommitURL(kRendererID,
                                GURL("view-source:file:///etc/passwd")));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID,
+                                       GURL("view-source:file:///etc/passwd")));
   p->Remove(kRendererID);
 }
 
@@ -339,18 +420,24 @@ TEST_F(ChildProcessSecurityPolicyTest, SpecificFile) {
   EXPECT_FALSE(p->CanRequestURL(kRendererID, sensitive_url));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, icon_url));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, sensitive_url));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, icon_url));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, sensitive_url));
 
   p->GrantRequestSpecificFileURL(kRendererID, icon_url);
   EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, sensitive_url));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, icon_url));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, sensitive_url));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, icon_url));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, sensitive_url));
 
   p->GrantRequestURL(kRendererID, icon_url);
   EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url));
   EXPECT_TRUE(p->CanRequestURL(kRendererID, sensitive_url));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, icon_url));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, sensitive_url));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, icon_url));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, sensitive_url));
 
   p->Remove(kRendererID);
 }
@@ -711,6 +798,9 @@ TEST_F(ChildProcessSecurityPolicyTest, OriginGranting) {
   EXPECT_FALSE(p->CanCommitURL(kRendererID, url_foo1));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, url_foo2));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, url_bar));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, url_foo1));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, url_foo2));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, url_bar));
 
   p->GrantOrigin(kRendererID, url::Origin(url_foo1));
 
@@ -720,6 +810,9 @@ TEST_F(ChildProcessSecurityPolicyTest, OriginGranting) {
   EXPECT_TRUE(p->CanCommitURL(kRendererID, url_foo1));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, url_foo2));
   EXPECT_FALSE(p->CanCommitURL(kRendererID, url_bar));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, url_foo1));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, url_foo2));
+  EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, url_bar));
 
   p->GrantScheme(kRendererID, kChromeUIScheme);
 
@@ -729,6 +822,9 @@ TEST_F(ChildProcessSecurityPolicyTest, OriginGranting) {
   EXPECT_TRUE(p->CanCommitURL(kRendererID, url_foo1));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, url_foo2));
   EXPECT_TRUE(p->CanCommitURL(kRendererID, url_bar));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, url_foo1));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, url_foo2));
+  EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, url_bar));
 
   p->Remove(kRendererID);
 }