Disallow navigations to blob URLs with non-canonical origins.

content/browser/blob_storage/blob_url_browsertest.cc

Index: content/browser/blob_storage/blob_url_browsertest.cc
diff --git a/content/browser/blob_storage/blob_url_browsertest.cc b/content/browser/blob_storage/blob_url_browsertest.cc
new file mode 100644
index 0000000000000000000000000000000000000000..26b0167e5774026d7cee4380e5c66e71ce907d47
--- /dev/null
+++ b/content/browser/blob_storage/blob_url_browsertest.cc
@@ -0,0 +1,190 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/macros.h"
+#include "base/strings/pattern.h"
+#include "build/build_config.h"
+#include "content/browser/web_contents/web_contents_impl.h"
+#include "content/public/test/browser_test_utils.h"
+#include "content/public/test/content_browser_test.h"
+#include "content/public/test/content_browser_test_utils.h"
+#include "content/public/test/test_utils.h"
+#include "content/shell/browser/shell.h"
+#include "content/test/content_browser_test_utils_internal.h"
+#include "net/dns/mock_host_resolver.h"
+#include "net/test/embedded_test_server/embedded_test_server.h"
+#include "url/gurl.h"
+#include "url/origin.h"
+
+namespace content {
+
+// Tests of the blob: URL scheme.
+class BlobUrlBrowserTest : public ContentBrowserTest {
+ public:
+  BlobUrlBrowserTest() {}
+
+  void SetUpOnMainThread() override {
+    host_resolver()->AddRule("*", "127.0.0.1");
+    ASSERT_TRUE(embedded_test_server()->Start());
+    SetupCrossSiteRedirector(embedded_test_server());
+  }
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(BlobUrlBrowserTest);
+};
+
+IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToUniqueOriginBlob) {
+  // Use a data URL to obtain a test page in a unique origin. The page
+  // contains a link to a "blob:null/SOME-GUID-STRING" URL.
+  NavigateToURL(
+      shell(),
+      GURL("data:text/html,<body><script>"
+           "var link = document.body.appendChild(document.createElement('a'));"
+           "link.innerText = 'Click Me!';"
+           "link.href = URL.createObjectURL(new Blob(['potato']));"
+           "link.target = '_blank';"
+           "link.id = 'click_me';"
+           "</script></body>"));
+
+  // Click the link.
+  ShellAddedObserver new_shell_observer;
+  EXPECT_TRUE(
+      ExecuteScript(shell(), "document.getElementById('click_me').click()"));
+
+  // The link should create a new tab.
+  Shell* new_shell = new_shell_observer.GetShell();
+  WebContents* new_contents = new_shell->web_contents();
+  WaitForLoadStop(new_contents);
+
+  EXPECT_TRUE(
+      base::MatchPattern(new_contents->GetVisibleURL().spec(), "blob:null/*"));
+  std::string page_content;
+  EXPECT_TRUE(ExecuteScriptAndExtractString(
+      new_contents,
+      "domAutomationController.send("
+      "    document.origin + ' ' + document.body.innerText);",
+      &page_content));
+  EXPECT_EQ("null potato", page_content);
+}
+
+IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlob) {
+  // Using an http page, click a link that opens a popup to a same-origin blob.
+  GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html");
+  url::Origin origin(url);
+  NavigateToURL(shell(), url);
+
+  ShellAddedObserver new_shell_observer;
+  EXPECT_TRUE(ExecuteScript(
+      shell(),
+      "var link = document.body.appendChild(document.createElement('a'));"
+      "link.innerText = 'Click Me!';"
+      "link.href = URL.createObjectURL(new Blob(['potato']));"
+      "link.target = '_blank';"
+      "link.click()"));
+
+  // The link should create a new tab.
+  Shell* new_shell = new_shell_observer.GetShell();
+  WebContents* new_contents = new_shell->web_contents();
+  WaitForLoadStop(new_contents);
+
+  EXPECT_TRUE(base::MatchPattern(new_contents->GetVisibleURL().spec(),
+                                 "blob:" + origin.Serialize() + "/*"));
+  std::string page_content;
+  EXPECT_TRUE(ExecuteScriptAndExtractString(
+      new_contents,
+      "domAutomationController.send("
+      "    document.origin + ' ' + document.body.innerText);",
+      &page_content));
+  EXPECT_EQ(origin.Serialize() + " potato", page_content);
+}
+
+// Regression test for https://crbug.com/646278
+IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlobWithAuthority) {
+  // Using an http page, click a link that opens a popup to a same-origin blob
+  // that has a spoofy authority section applied. This should be blocked.
+  GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html");
+  url::Origin origin(url);
+  NavigateToURL(shell(), url);
+
+  ShellAddedObserver new_shell_observer;
+  EXPECT_TRUE(ExecuteScript(
+      shell(),
+      "var link = document.body.appendChild(document.createElement('a'));"
+      "link.innerText = 'Click Me!';"
+      "link.href = 'blob:http://spoof.com@' + "
+      "    URL.createObjectURL(new Blob(['potato'])).split('://')[1];"
+      "link.target = '_blank';"
+      "link.click()"));
+
+  // The link should create a new tab.
+  Shell* new_shell = new_shell_observer.GetShell();
+  WebContents* new_contents = new_shell->web_contents();
+  WaitForLoadStop(new_contents);
+
+  // The spoofy URL should not be shown to the user.
+  EXPECT_FALSE(
+      base::MatchPattern(new_contents->GetVisibleURL().spec(), "*spoof*"));
+  // The currently implemented behavior is that the URL gets rewritten to
+  // about:blank. This about:blank page loads in process.
+  EXPECT_EQ("about:blank", new_contents->GetVisibleURL().spec());
+  std::string page_content;
+  EXPECT_TRUE(ExecuteScriptAndExtractString(
+      new_contents,
+      "domAutomationController.send("
+      "    document.origin + ' ' + document.body.innerText);",
+      &page_content));
+  EXPECT_EQ(origin.Serialize() + " ", page_content);  // no potato
+}
+
+IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, ReplaceStateToAddAuthorityToBlob) {
+  // Location.replace shouldn't be allowed .

[Charlie Reis, 2016/09/20 23:19:06]

location.replace is different than history.replaceState, which this test appears
to be testing.  Should this say replaceState?

(Also, there's an extra space before the period.)

[ncarter (slow), 2016/09/21 17:03:16]

Done.

+  GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html");
+  url::Origin origin(url);
+  NavigateToURL(shell(), url);
+
+  RenderProcessHostWatcher crash_observer(
+      shell()->web_contents(),
+      RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
+
+  ShellAddedObserver new_shell_observer;
+  EXPECT_TRUE(ExecuteScript(
+      shell(),
+      "var spoof_fn = function () {\n"
+      "  host_port = document.origin.split('://')[1];\n"
+      "  spoof_url = 'blob:http://spoof.com@' + host_port + '/abcd';\n"
+      "  window.history.replaceState({}, '', spoof_url);\n"
+      "};\n"
+      "args = ['<body>potato<scr', 'ipt>(', spoof_fn, ')();</scri', 'pt>'];\n"
+      "b = new Blob(args, {type: 'text/html'});"
+      "window.open(URL.createObjectURL(b));"));
+
+  Shell* new_shell = new_shell_observer.GetShell();
+  WebContents* new_contents = new_shell->web_contents();
+  WaitForLoadStop(new_contents);
+
+  // The spoofy URL should not be shown to the user.
+  EXPECT_FALSE(
+      base::MatchPattern(new_contents->GetVisibleURL().spec(), "*spoof*"));
+
+  // The currently implemented behavior is that the URL gets rewritten to
+  // about:blank.

[Charlie Reis, 2016/09/20 23:19:06]

Please also mention that the page loads anyway.  (I think that's ok for the time
being, in the hopes that we can start showing error pages for FilterURL cases in
the future.)

[ncarter (slow), 2016/09/21 17:03:16]

Done.

+  EXPECT_EQ("about:blank", new_contents->GetVisibleURL().spec());
+  std::string page_content;
+  EXPECT_TRUE(ExecuteScriptAndExtractString(
+      new_contents,
+      "domAutomationController.send("
+      "    document.origin + ' ' + document.body.innerText);",
+      &page_content));
+  EXPECT_EQ(origin.Serialize() + " potato", page_content);
+
+  // TODO(nick): Currently, window.location still reflects the spoof URL.
+  // This seems unfortunate; fix it.
+  std::string window_location;
+  EXPECT_TRUE(ExecuteScriptAndExtractString(
+      new_contents, "domAutomationController.send(window.location.href);",
+      &window_location));
+  EXPECT_TRUE(base::MatchPattern(window_location, "*spoof*"));
+}
+
+}  // namespace content