content/browser/blob_storage/blob_url_browsertest.cc - Issue 2358193002: Revert of Disallow navigations to blob URLs with non-canonical origins.

Side by Side Diff: content/browser/blob_storage/blob_url_browsertest.cc

Issue 2358193002: Revert of Disallow navigations to blob URLs with non-canonical origins. (Closed)

Patch Set: Created 4 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
	(Empty)
1 // Copyright 2016 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.

4

5 #include "base/macros.h"

6 #include "base/strings/pattern.h"

7 #include "build/build_config.h"

8 #include "content/browser/web_contents/web_contents_impl.h"

9 #include "content/public/test/browser_test_utils.h"

10 #include "content/public/test/content_browser_test.h"

11 #include "content/public/test/content_browser_test_utils.h"

12 #include "content/public/test/test_utils.h"

13 #include "content/shell/browser/shell.h"

14 #include "content/test/content_browser_test_utils_internal.h"

15 #include "net/dns/mock_host_resolver.h"

16 #include "net/test/embedded_test_server/embedded_test_server.h"

17 #include "url/gurl.h"

18 #include "url/origin.h"

19

20 namespace content {

21

22 // Tests of the blob: URL scheme.

23 class BlobUrlBrowserTest : public ContentBrowserTest {

24 public:

25 BlobUrlBrowserTest() {}

26

27 void SetUpOnMainThread() override {

28 host_resolver()->AddRule("*", "127.0.0.1");

29 ASSERT_TRUE(embedded_test_server()->Start());

30 SetupCrossSiteRedirector(embedded_test_server());

31 }

32

33 private:

34 DISALLOW_COPY_AND_ASSIGN(BlobUrlBrowserTest);

35 };

36

37 IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToUniqueOriginBlob) {

38 // Use a data URL to obtain a test page in a unique origin. The page

39 // contains a link to a "blob:null/SOME-GUID-STRING" URL.

40 NavigateToURL(

41 shell(),

42 GURL("data:text/html,<body><script>"

43 "var link = document.body.appendChild(document.createElement('a'));"

44 "link.innerText = 'Click Me!';"

45 "link.href = URL.createObjectURL(new Blob(['potato']));"

46 "link.target = '_blank';"

47 "link.id = 'click_me';"

48 "</script></body>"));

49

50 // Click the link.

51 ShellAddedObserver new_shell_observer;

52 EXPECT_TRUE(

53 ExecuteScript(shell(), "document.getElementById('click_me').click()"));

54

55 // The link should create a new tab.

56 Shell* new_shell = new_shell_observer.GetShell();

57 WebContents* new_contents = new_shell->web_contents();

58 WaitForLoadStop(new_contents);

59

60 EXPECT_TRUE(

61 base::MatchPattern(new_contents->GetVisibleURL().spec(), "blob:null/*"));

62 std::string page_content;

63 EXPECT_TRUE(ExecuteScriptAndExtractString(

64 new_contents,

65 "domAutomationController.send("

66 " document.origin + ' ' + document.body.innerText);",

67 &page_content));

68 EXPECT_EQ("null potato", page_content);

69 }

70

71 IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlob) {

72 // Using an http page, click a link that opens a popup to a same-origin blob.

73 GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html");

74 url::Origin origin(url);

75 NavigateToURL(shell(), url);

76

77 ShellAddedObserver new_shell_observer;

78 EXPECT_TRUE(ExecuteScript(

79 shell(),

80 "var link = document.body.appendChild(document.createElement('a'));"

81 "link.innerText = 'Click Me!';"

82 "link.href = URL.createObjectURL(new Blob(['potato']));"

83 "link.target = '_blank';"

84 "link.click()"));

85

86 // The link should create a new tab.

87 Shell* new_shell = new_shell_observer.GetShell();

88 WebContents* new_contents = new_shell->web_contents();

89 WaitForLoadStop(new_contents);

90

91 EXPECT_TRUE(base::MatchPattern(new_contents->GetVisibleURL().spec(),

92 "blob:" + origin.Serialize() + "/*"));

93 std::string page_content;

94 EXPECT_TRUE(ExecuteScriptAndExtractString(

95 new_contents,

96 "domAutomationController.send("

97 " document.origin + ' ' + document.body.innerText);",

98 &page_content));

99 EXPECT_EQ(origin.Serialize() + " potato", page_content);

100 }

101

102 // Regression test for https://crbug.com/646278

103 IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlobWithAuthority) {

104 // Using an http page, click a link that opens a popup to a same-origin blob

105 // that has a spoofy authority section applied. This should be blocked.

106 GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html");

107 url::Origin origin(url);

108 NavigateToURL(shell(), url);

109

110 ShellAddedObserver new_shell_observer;

111 EXPECT_TRUE(ExecuteScript(

112 shell(),

113 "var link = document.body.appendChild(document.createElement('a'));"

114 "link.innerText = 'Click Me!';"

115 "link.href = 'blob:http://spoof.com@' + "

116 " URL.createObjectURL(new Blob(['potato'])).split('://')[1];"

117 "link.target = '_blank';"

118 "link.click()"));

119

120 // The link should create a new tab.

121 Shell* new_shell = new_shell_observer.GetShell();

122 WebContents* new_contents = new_shell->web_contents();

123 WaitForLoadStop(new_contents);

124

125 // The spoofy URL should not be shown to the user.

126 EXPECT_FALSE(

127 base::MatchPattern(new_contents->GetVisibleURL().spec(), "spoof"));

128 // The currently implemented behavior is that the URL gets rewritten to

129 // about:blank.

130 EXPECT_EQ("about:blank", new_contents->GetVisibleURL().spec());

131 std::string page_content;

132 EXPECT_TRUE(ExecuteScriptAndExtractString(

133 new_contents,

134 "domAutomationController.send("

135 " document.origin + ' ' + document.body.innerText);",

136 &page_content));

137 EXPECT_EQ(origin.Serialize() + " ", page_content); // no potato

138 }

139

140 // Regression test for https://crbug.com/646278

141 IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, ReplaceStateToAddAuthorityToBlob) {

142 // history.replaceState from a validly loaded blob URL shouldn't allow adding

143 // an authority to the inner URL, which would be spoofy.

144 GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html");

145 url::Origin origin(url);

146 NavigateToURL(shell(), url);

147

148 ShellAddedObserver new_shell_observer;

149 EXPECT_TRUE(ExecuteScript(

150 shell(),

151 "var spoof_fn = function () {\n"

152 " host_port = document.origin.split('://')[1];\n"

153 " spoof_url = 'blob:http://spoof.com@' + host_port + '/abcd';\n"

154 " window.history.replaceState({}, '', spoof_url);\n"

155 "};\n"

156 "args = ['<body>potato<scr', 'ipt>(', spoof_fn, ')();</scri', 'pt>'];\n"

157 "b = new Blob(args, {type: 'text/html'});"

158 "window.open(URL.createObjectURL(b));"));

159

160 Shell* new_shell = new_shell_observer.GetShell();

161 WebContents* new_contents = new_shell->web_contents();

162 WaitForLoadStop(new_contents);

163

164 // The spoofy URL should not be shown to the user.

165 EXPECT_FALSE(

166 base::MatchPattern(new_contents->GetVisibleURL().spec(), "spoof"));

167

168 // The currently implemented behavior is that the URL gets rewritten to

169 // about:blank. The content of the page stays the same.

170 EXPECT_EQ("about:blank", new_contents->GetVisibleURL().spec());

171 std::string page_content;

172 EXPECT_TRUE(ExecuteScriptAndExtractString(

173 new_contents,

174 "domAutomationController.send("

175 " document.origin + ' ' + document.body.innerText);",

176 &page_content));

177 EXPECT_EQ(origin.Serialize() + " potato", page_content);

178

179 // TODO(nick): Currently, window.location still reflects the spoof URL.

180 // This seems unfortunate -- can we fix it?

181 std::string window_location;

182 EXPECT_TRUE(ExecuteScriptAndExtractString(

183 new_contents, "domAutomationController.send(window.location.href);",

184 &window_location));

185 EXPECT_TRUE(base::MatchPattern(window_location, "spoof"));

186 }

187

188 } // namespace content

OLD	NEW

« no previous file with comments | « no previous file | content/browser/child_process_security_policy_impl.cc » ('j') | no next file with comments »