content/browser/blob_storage/blob_url_browsertest.cc - Issue 2347163004: Disallow navigations to blob URLs with non-canonical origins.

Side by Side Diff: content/browser/blob_storage/blob_url_browsertest.cc

Issue 2347163004: Disallow navigations to blob URLs with non-canonical origins. (Closed)

Patch Set: Add tests. Created 4 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
(Empty)
	1 // Copyright 2016 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "base/macros.h"

	6 #include "base/strings/pattern.h"

	7 #include "build/build_config.h"

	8 #include "content/browser/web_contents/web_contents_impl.h"

	9 #include "content/public/test/browser_test_utils.h"

	10 #include "content/public/test/content_browser_test.h"

	11 #include "content/public/test/content_browser_test_utils.h"

	12 #include "content/public/test/test_utils.h"

	13 #include "content/shell/browser/shell.h"

	14 #include "content/test/content_browser_test_utils_internal.h"

	15 #include "net/dns/mock_host_resolver.h"

	16 #include "net/test/embedded_test_server/embedded_test_server.h"

	17 #include "url/gurl.h"

	18 #include "url/origin.h"

	19

	20 namespace content {

	21

	22 // Tests of the blob: URL scheme.

	23 class BlobUrlBrowserTest : public ContentBrowserTest {

	24 public:

	25 BlobUrlBrowserTest() {}

	26

	27 void SetUpOnMainThread() override {

	28 host_resolver()->AddRule("*", "127.0.0.1");

	29 ASSERT_TRUE(embedded_test_server()->Start());

	30 SetupCrossSiteRedirector(embedded_test_server());

	31 }

	32

	33 private:

	34 DISALLOW_COPY_AND_ASSIGN(BlobUrlBrowserTest);

	35 };

	36

	37 IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToUniqueOriginBlob) {

	38 // Use a data URL to obtain a test page in a unique origin. The page

	39 // contains a link to a "blob:null/SOME-GUID-STRING" URL.

	40 NavigateToURL(shell(), GURL("data:text/html,<body><script>"

	41 "var link = document.body.appendChild(document.createElement('a'));"

	42 "link.innerText = 'Click Me!';"

	43 "link.href = URL.createObjectURL(new Blob(['potato']));"

	44 "link.target = '_blank';"

	45 "link.id = 'click_me';"

	46 "</script></body>"));

	47

	48 // Click the link.

	49 ShellAddedObserver new_shell_observer;

	50 EXPECT_TRUE(

	51 ExecuteScript(shell(), "document.getElementById('click_me').click()"));

	52

	53 // The link should create a new tab.

	54 Shell* new_shell = new_shell_observer.GetShell();

	55 WebContents* new_contents = new_shell->web_contents();

	56 WaitForLoadStop(new_contents);

	57

	58 EXPECT_TRUE(

	59 base::MatchPattern(new_contents->GetVisibleURL().spec(), "blob:null/*"));

	60 std::string page_content;

	61 EXPECT_TRUE(ExecuteScriptAndExtractString(

	62 new_contents,

	63 "domAutomationController.send("

	64 " document.origin + ' ' + document.body.innerText);",

	65 &page_content));

	66 EXPECT_EQ("null potato", page_content);

	67 }

	68

	69 IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlob) {

	70 // Using an http page, click a link that open a popup to a same-origin blob.
	Charlie Reis 2016/09/20 16:28:55 nit: opens nit: opens ncarter (slow) 2016/09/20 23:01:43 Done. Show quoted text On 2016/09/20 16:28:55, Charlie Reis (slow) wrote: > nit: opens Done.
	71 GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html");

	72 url::Origin origin(url);

	73 NavigateToURL(shell(), url);

	74

	75 ShellAddedObserver new_shell_observer;

	76 EXPECT_TRUE(ExecuteScript(shell(),

	77 "var link = document.body.appendChild(document.createElement('a'));"

	78 "link.innerText = 'Click Me!';"

	79 "link.href = URL.createObjectURL(new Blob(['potato']));"

	80 "link.target = '_blank';"

	81 "link.click()"));

	82

	83 // The link should create a new tab.

	84 Shell* new_shell = new_shell_observer.GetShell();

	85 WebContents* new_contents = new_shell->web_contents();

	86 WaitForLoadStop(new_contents);

	87

	88 EXPECT_TRUE(base::MatchPattern(new_contents->GetVisibleURL().spec(),

	89 "blob:" + origin.Serialize() + "/*"));

	90 std::string page_content;

	91 EXPECT_TRUE(ExecuteScriptAndExtractString(

	92 new_contents,

	93 "domAutomationController.send("

	94 " document.origin + ' ' + document.body.innerText);",

	95 &page_content));

	96 EXPECT_EQ(page_content, origin.Serialize() + " potato");
	Charlie Reis 2016/09/20 16:28:55 nit: Reverse order (expected, actual) nit: Reverse order (expected, actual) ncarter (slow) 2016/09/20 23:01:43 Done. Show quoted text On 2016/09/20 16:28:55, Charlie Reis (slow) wrote: > nit: Reverse order (expected, actual) Done.
	97 }

	98

	99 // Regression test for https://crbug.com/646278

	100 IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlobWithAuthority) {

	101 // Using an http page, click a link that open a popup to a same-origin blob
	Charlie Reis 2016/09/20 16:28:55 nit: opens nit: opens ncarter (slow) 2016/09/20 23:01:43 Done. Show quoted text On 2016/09/20 16:28:55, Charlie Reis (slow) wrote: > nit: opens Done.
	102 // that has a spoofy authority section applied. This should be blocked.

	103 GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html");

	104 url::Origin origin(url);

	105 NavigateToURL(shell(), url);

	106

	107 ShellAddedObserver new_shell_observer;

	108 EXPECT_TRUE(ExecuteScript(shell(),

	109 "var link = document.body.appendChild(document.createElement('a'));"

	110 "link.innerText = 'Click Me!';"

	111 "link.href = 'blob:http://spoof.com@' + "

	112 " URL.createObjectURL(new Blob(['potato'])).split('://')[1];"

	113 "link.target = '_blank';"

	114 "link.click()"));

	115

	116 // The link should create a new tab.

	117 Shell* new_shell = new_shell_observer.GetShell();

	118 WebContents* new_contents = new_shell->web_contents();

	119 WaitForLoadStop(new_contents);

	120

	121 // The spoofy URL should not be shown to the user.

	122 EXPECT_FALSE(

	123 base::MatchPattern(new_contents->GetVisibleURL().spec(), "spoof"));

	124 std::string page_content;

	125 EXPECT_TRUE(ExecuteScriptAndExtractString(

	126 new_contents,

	127 "domAutomationController.send("

	128 " document.origin + ' ' + document.body.innerText);",

	129 &page_content));

	130 EXPECT_EQ(page_content, origin.Serialize() + " "); // no potato
	Charlie Reis 2016/09/20 16:28:55 nit: Reverse order (expected, actual) Also, can y nit: Reverse order (expected, actual) Also, can you elaborate, either here or in the comment on line 121, why "potato" isn't shown? At first it sounded like the page would display but we would omit the authority from the visible URL. But this indicates that we prevent the page from loading. That behavior is be fine, but I'm not sure what form it takes-- is it an error page? A blank page? A renderer kill? Worth mentioning in the comment. ncarter (slow) 2016/09/20 23:01:43 Done. Show quoted text On 2016/09/20 16:28:55, Charlie Reis (slow) wrote: > nit: Reverse order (expected, actual) > > Also, can you elaborate, either here or in the comment on line 121, why "potato" > isn't shown? At first it sounded like the page would display but we would omit > the authority from the visible URL. But this indicates that we prevent the page > from loading. That behavior is be fine, but I'm not sure what form it takes-- > is it an error page? A blank page? A renderer kill? Worth mentioning in the > comment. Done.
	131 }

	132

	133 } // namespace content

OLD	NEW

« no previous file with comments | « no previous file | content/browser/child_process_security_policy_impl.cc » ('j') | content/browser/child_process_security_policy_impl.cc » ('J')