Disallow navigations to blob URLs with non-canonical origins.

content/browser/blob_storage/blob_url_browsertest.cc

Index: content/browser/blob_storage/blob_url_browsertest.cc
diff --git a/content/browser/blob_storage/blob_url_browsertest.cc b/content/browser/blob_storage/blob_url_browsertest.cc
new file mode 100644
index 0000000000000000000000000000000000000000..9378261cd84ef371bb76a0f52d7957984691a167
--- /dev/null
+++ b/content/browser/blob_storage/blob_url_browsertest.cc
@@ -0,0 +1,133 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/macros.h"
+#include "base/strings/pattern.h"
+#include "build/build_config.h"
+#include "content/browser/web_contents/web_contents_impl.h"
+#include "content/public/test/browser_test_utils.h"
+#include "content/public/test/content_browser_test.h"
+#include "content/public/test/content_browser_test_utils.h"
+#include "content/public/test/test_utils.h"
+#include "content/shell/browser/shell.h"
+#include "content/test/content_browser_test_utils_internal.h"
+#include "net/dns/mock_host_resolver.h"
+#include "net/test/embedded_test_server/embedded_test_server.h"
+#include "url/gurl.h"
+#include "url/origin.h"
+
+namespace content {
+
+// Tests of the blob: URL scheme.
+class BlobUrlBrowserTest : public ContentBrowserTest {
+ public:
+  BlobUrlBrowserTest() {}
+
+  void SetUpOnMainThread() override {
+    host_resolver()->AddRule("*", "127.0.0.1");
+    ASSERT_TRUE(embedded_test_server()->Start());
+    SetupCrossSiteRedirector(embedded_test_server());
+  }
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(BlobUrlBrowserTest);
+};
+
+IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToUniqueOriginBlob) {
+  // Use a data URL to obtain a test page in a unique origin. The page
+  // contains a link to a "blob:null/SOME-GUID-STRING" URL.
+  NavigateToURL(shell(), GURL("data:text/html,<body><script>"
+    "var link = document.body.appendChild(document.createElement('a'));"
+    "link.innerText = 'Click Me!';"
+    "link.href = URL.createObjectURL(new Blob(['potato']));"
+    "link.target = '_blank';"
+    "link.id = 'click_me';"
+    "</script></body>"));
+
+  // Click the link.
+  ShellAddedObserver new_shell_observer;
+  EXPECT_TRUE(
+      ExecuteScript(shell(), "document.getElementById('click_me').click()"));
+
+  // The link should create a new tab.
+  Shell* new_shell = new_shell_observer.GetShell();
+  WebContents* new_contents = new_shell->web_contents();
+  WaitForLoadStop(new_contents);
+
+  EXPECT_TRUE(
+      base::MatchPattern(new_contents->GetVisibleURL().spec(), "blob:null/*"));
+  std::string page_content;
+  EXPECT_TRUE(ExecuteScriptAndExtractString(
+      new_contents,
+      "domAutomationController.send("
+      "    document.origin + ' ' + document.body.innerText);",
+      &page_content));
+  EXPECT_EQ("null potato", page_content);
+}
+
+IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlob) {
+  // Using an http page, click a link that open a popup to a same-origin blob.

[Charlie Reis, 2016/09/20 16:28:55]

nit: opens

[ncarter (slow), 2016/09/20 23:01:43]

Done.

+  GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html");
+  url::Origin origin(url);
+  NavigateToURL(shell(), url);
+
+  ShellAddedObserver new_shell_observer;
+  EXPECT_TRUE(ExecuteScript(shell(),
+    "var link = document.body.appendChild(document.createElement('a'));"
+    "link.innerText = 'Click Me!';"
+    "link.href = URL.createObjectURL(new Blob(['potato']));"
+    "link.target = '_blank';"
+    "link.click()"));
+
+  // The link should create a new tab.
+  Shell* new_shell = new_shell_observer.GetShell();
+  WebContents* new_contents = new_shell->web_contents();
+  WaitForLoadStop(new_contents);
+
+  EXPECT_TRUE(base::MatchPattern(new_contents->GetVisibleURL().spec(),
+                                 "blob:" + origin.Serialize() + "/*"));
+  std::string page_content;
+  EXPECT_TRUE(ExecuteScriptAndExtractString(
+      new_contents,
+      "domAutomationController.send("
+      "    document.origin + ' ' + document.body.innerText);",
+      &page_content));
+  EXPECT_EQ(page_content, origin.Serialize() + " potato");

[Charlie Reis, 2016/09/20 16:28:55]

nit: Reverse order (expected, actual)

[ncarter (slow), 2016/09/20 23:01:43]

Done.

+}
+
+// Regression test for https://crbug.com/646278
+IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlobWithAuthority) {
+  // Using an http page, click a link that open a popup to a same-origin blob

[Charlie Reis, 2016/09/20 16:28:55]

nit: opens

[ncarter (slow), 2016/09/20 23:01:43]

Done.

+  // that has a spoofy authority section applied. This should be blocked.
+  GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html");
+  url::Origin origin(url);
+  NavigateToURL(shell(), url);
+
+  ShellAddedObserver new_shell_observer;
+  EXPECT_TRUE(ExecuteScript(shell(),
+    "var link = document.body.appendChild(document.createElement('a'));"
+    "link.innerText = 'Click Me!';"
+    "link.href = 'blob:http://spoof.com@' + "
+    "    URL.createObjectURL(new Blob(['potato'])).split('://')[1];"
+    "link.target = '_blank';"
+    "link.click()"));
+
+  // The link should create a new tab.
+  Shell* new_shell = new_shell_observer.GetShell();
+  WebContents* new_contents = new_shell->web_contents();
+  WaitForLoadStop(new_contents);
+
+  // The spoofy URL should not be shown to the user.
+  EXPECT_FALSE(
+      base::MatchPattern(new_contents->GetVisibleURL().spec(), "*spoof*"));
+  std::string page_content;
+  EXPECT_TRUE(ExecuteScriptAndExtractString(
+      new_contents,
+      "domAutomationController.send("
+      "    document.origin + ' ' + document.body.innerText);",
+      &page_content));
+  EXPECT_EQ(page_content, origin.Serialize() + " ");  // no potato

[Charlie Reis, 2016/09/20 16:28:55]

nit: Reverse order (expected, actual)

Also, can you elaborate, either here or in the comment on line 121, why "potato"
isn't shown?  At first it sounded like the page would display but we would omit
the authority from the visible URL.  But this indicates that we prevent the page
from loading.  That behavior is be fine, but I'm not sure what form it takes--
is it an error page?  A blank page?  A renderer kill?  Worth mentioning in the
comment.

[ncarter (slow), 2016/09/20 23:01:43]

Done.

+}
+
+}  // namespace content