content/browser/blob_storage/blob_url_browsertest.cc - Issue 2347163004: Disallow navigations to blob URLs with non-canonical origins.

Side by Side Diff: content/browser/blob_storage/blob_url_browsertest.cc

Issue 2347163004: Disallow navigations to blob URLs with non-canonical origins. (Closed)

Patch Set: Fix issues and add unittest. Created 4 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
(Empty)
	1 // Copyright 2016 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include "base/macros.h"

	6 #include "base/strings/pattern.h"

	7 #include "build/build_config.h"

	8 #include "content/browser/web_contents/web_contents_impl.h"

	9 #include "content/public/test/browser_test_utils.h"

	10 #include "content/public/test/content_browser_test.h"

	11 #include "content/public/test/content_browser_test_utils.h"

	12 #include "content/public/test/test_utils.h"

	13 #include "content/shell/browser/shell.h"

	14 #include "content/test/content_browser_test_utils_internal.h"

	15 #include "net/dns/mock_host_resolver.h"

	16 #include "net/test/embedded_test_server/embedded_test_server.h"

	17 #include "url/gurl.h"

	18 #include "url/origin.h"

	19

	20 namespace content {

	21

	22 // Tests of the blob: URL scheme.

	23 class BlobUrlBrowserTest : public ContentBrowserTest {

	24 public:

	25 BlobUrlBrowserTest() {}

	26

	27 void SetUpOnMainThread() override {

	28 host_resolver()->AddRule("*", "127.0.0.1");

	29 ASSERT_TRUE(embedded_test_server()->Start());

	30 SetupCrossSiteRedirector(embedded_test_server());

	31 }

	32

	33 private:

	34 DISALLOW_COPY_AND_ASSIGN(BlobUrlBrowserTest);

	35 };

	36

	37 IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToUniqueOriginBlob) {

	38 // Use a data URL to obtain a test page in a unique origin. The page

	39 // contains a link to a "blob:null/SOME-GUID-STRING" URL.

	40 NavigateToURL(

	41 shell(),

	42 GURL("data:text/html,<body><script>"

	43 "var link = document.body.appendChild(document.createElement('a'));"

	44 "link.innerText = 'Click Me!';"

	45 "link.href = URL.createObjectURL(new Blob(['potato']));"

	46 "link.target = '_blank';"

	47 "link.id = 'click_me';"

	48 "</script></body>"));

	49

	50 // Click the link.

	51 ShellAddedObserver new_shell_observer;

	52 EXPECT_TRUE(

	53 ExecuteScript(shell(), "document.getElementById('click_me').click()"));

	54

	55 // The link should create a new tab.

	56 Shell* new_shell = new_shell_observer.GetShell();

	57 WebContents* new_contents = new_shell->web_contents();

	58 WaitForLoadStop(new_contents);

	59

	60 EXPECT_TRUE(

	61 base::MatchPattern(new_contents->GetVisibleURL().spec(), "blob:null/*"));

	62 std::string page_content;

	63 EXPECT_TRUE(ExecuteScriptAndExtractString(

	64 new_contents,

	65 "domAutomationController.send("

	66 " document.origin + ' ' + document.body.innerText);",

	67 &page_content));

	68 EXPECT_EQ("null potato", page_content);

	69 }

	70

	71 IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlob) {

	72 // Using an http page, click a link that opens a popup to a same-origin blob.

	73 GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html");

	74 url::Origin origin(url);

	75 NavigateToURL(shell(), url);

	76

	77 ShellAddedObserver new_shell_observer;

	78 EXPECT_TRUE(ExecuteScript(

	79 shell(),

	80 "var link = document.body.appendChild(document.createElement('a'));"

	81 "link.innerText = 'Click Me!';"

	82 "link.href = URL.createObjectURL(new Blob(['potato']));"

	83 "link.target = '_blank';"

	84 "link.click()"));

	85

	86 // The link should create a new tab.

	87 Shell* new_shell = new_shell_observer.GetShell();

	88 WebContents* new_contents = new_shell->web_contents();

	89 WaitForLoadStop(new_contents);

	90

	91 EXPECT_TRUE(base::MatchPattern(new_contents->GetVisibleURL().spec(),

	92 "blob:" + origin.Serialize() + "/*"));

	93 std::string page_content;

	94 EXPECT_TRUE(ExecuteScriptAndExtractString(

	95 new_contents,

	96 "domAutomationController.send("

	97 " document.origin + ' ' + document.body.innerText);",

	98 &page_content));

	99 EXPECT_EQ(origin.Serialize() + " potato", page_content);

	100 }

	101

	102 // Regression test for https://crbug.com/646278

	103 IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlobWithAuthority) {

	104 // Using an http page, click a link that opens a popup to a same-origin blob

	105 // that has a spoofy authority section applied. This should be blocked.

	106 GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html");

	107 url::Origin origin(url);

	108 NavigateToURL(shell(), url);

	109

	110 ShellAddedObserver new_shell_observer;

	111 EXPECT_TRUE(ExecuteScript(

	112 shell(),

	113 "var link = document.body.appendChild(document.createElement('a'));"

	114 "link.innerText = 'Click Me!';"

	115 "link.href = 'blob:http://spoof.com@' + "

	116 " URL.createObjectURL(new Blob(['potato'])).split('://')[1];"

	117 "link.target = '_blank';"

	118 "link.click()"));

	119

	120 // The link should create a new tab.

	121 Shell* new_shell = new_shell_observer.GetShell();

	122 WebContents* new_contents = new_shell->web_contents();

	123 WaitForLoadStop(new_contents);

	124

	125 // The spoofy URL should not be shown to the user.

	126 EXPECT_FALSE(

	127 base::MatchPattern(new_contents->GetVisibleURL().spec(), "spoof"));

	128 // The currently implemented behavior is that the URL gets rewritten to

	129 // about:blank. This about:blank page loads in process.

	130 EXPECT_EQ("about:blank", new_contents->GetVisibleURL().spec());

	131 std::string page_content;

	132 EXPECT_TRUE(ExecuteScriptAndExtractString(

	133 new_contents,

	134 "domAutomationController.send("

	135 " document.origin + ' ' + document.body.innerText);",

	136 &page_content));

	137 EXPECT_EQ(origin.Serialize() + " ", page_content); // no potato

	138 }

	139

	140 IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, ReplaceStateToAddAuthorityToBlob) {

	141 // Location.replace shouldn't be allowed .
	Charlie Reis 2016/09/20 23:19:06 location.replace is different than history.replace location.replace is different than history.replaceState, which this test appears to be testing. Should this say replaceState? (Also, there's an extra space before the period.) ncarter (slow) 2016/09/21 17:03:16 Done. Show quoted text On 2016/09/20 23:19:06, Charlie Reis (slow) wrote: > location.replace is different than history.replaceState, which this test appears > to be testing. Should this say replaceState? > > (Also, there's an extra space before the period.) Done.
	142 GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html");

	143 url::Origin origin(url);

	144 NavigateToURL(shell(), url);

	145

	146 RenderProcessHostWatcher crash_observer(

	147 shell()->web_contents(),

	148 RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);

	149

	150 ShellAddedObserver new_shell_observer;

	151 EXPECT_TRUE(ExecuteScript(

	152 shell(),

	153 "var spoof_fn = function () {\n"

	154 " host_port = document.origin.split('://')[1];\n"

	155 " spoof_url = 'blob:http://spoof.com@' + host_port + '/abcd';\n"

	156 " window.history.replaceState({}, '', spoof_url);\n"

	157 "};\n"

	158 "args = ['<body>potato<scr', 'ipt>(', spoof_fn, ')();</scri', 'pt>'];\n"

	159 "b = new Blob(args, {type: 'text/html'});"

	160 "window.open(URL.createObjectURL(b));"));

	161

	162 Shell* new_shell = new_shell_observer.GetShell();

	163 WebContents* new_contents = new_shell->web_contents();

	164 WaitForLoadStop(new_contents);

	165

	166 // The spoofy URL should not be shown to the user.

	167 EXPECT_FALSE(

	168 base::MatchPattern(new_contents->GetVisibleURL().spec(), "spoof"));

	169

	170 // The currently implemented behavior is that the URL gets rewritten to

	171 // about:blank.
	Charlie Reis 2016/09/20 23:19:06 Please also mention that the page loads anyway. ( Please also mention that the page loads anyway. (I think that's ok for the time being, in the hopes that we can start showing error pages for FilterURL cases in the future.) ncarter (slow) 2016/09/21 17:03:16 Done. Show quoted text On 2016/09/20 23:19:06, Charlie Reis (slow) wrote: > Please also mention that the page loads anyway. (I think that's ok for the time > being, in the hopes that we can start showing error pages for FilterURL cases in > the future.) Done.
	172 EXPECT_EQ("about:blank", new_contents->GetVisibleURL().spec());

	173 std::string page_content;

	174 EXPECT_TRUE(ExecuteScriptAndExtractString(

	175 new_contents,

	176 "domAutomationController.send("

	177 " document.origin + ' ' + document.body.innerText);",

	178 &page_content));

	179 EXPECT_EQ(origin.Serialize() + " potato", page_content);

	180

	181 // TODO(nick): Currently, window.location still reflects the spoof URL.

	182 // This seems unfortunate; fix it.

	183 std::string window_location;

	184 EXPECT_TRUE(ExecuteScriptAndExtractString(

	185 new_contents, "domAutomationController.send(window.location.href);",

	186 &window_location));

	187 EXPECT_TRUE(base::MatchPattern(window_location, "spoof"));

	188 }

	189

	190 } // namespace content

OLD	NEW

« no previous file with comments | « no previous file | content/browser/child_process_security_policy_impl.cc » ('j') | content/browser/child_process_security_policy_unittest.cc » ('J')