OLD | NEW |
| (Empty) |
1 // Copyright 2016 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "base/macros.h" | |
6 #include "base/strings/pattern.h" | |
7 #include "build/build_config.h" | |
8 #include "content/browser/web_contents/web_contents_impl.h" | |
9 #include "content/public/test/browser_test_utils.h" | |
10 #include "content/public/test/content_browser_test.h" | |
11 #include "content/public/test/content_browser_test_utils.h" | |
12 #include "content/public/test/test_utils.h" | |
13 #include "content/shell/browser/shell.h" | |
14 #include "content/test/content_browser_test_utils_internal.h" | |
15 #include "net/dns/mock_host_resolver.h" | |
16 #include "net/test/embedded_test_server/embedded_test_server.h" | |
17 #include "url/gurl.h" | |
18 #include "url/origin.h" | |
19 | |
20 namespace content { | |
21 | |
22 // Tests of the blob: URL scheme. | |
23 class BlobUrlBrowserTest : public ContentBrowserTest { | |
24 public: | |
25 BlobUrlBrowserTest() {} | |
26 | |
27 void SetUpOnMainThread() override { | |
28 host_resolver()->AddRule("*", "127.0.0.1"); | |
29 ASSERT_TRUE(embedded_test_server()->Start()); | |
30 SetupCrossSiteRedirector(embedded_test_server()); | |
31 } | |
32 | |
33 private: | |
34 DISALLOW_COPY_AND_ASSIGN(BlobUrlBrowserTest); | |
35 }; | |
36 | |
37 IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToUniqueOriginBlob) { | |
38 // Use a data URL to obtain a test page in a unique origin. The page | |
39 // contains a link to a "blob:null/SOME-GUID-STRING" URL. | |
40 NavigateToURL( | |
41 shell(), | |
42 GURL("data:text/html,<body><script>" | |
43 "var link = document.body.appendChild(document.createElement('a'));" | |
44 "link.innerText = 'Click Me!';" | |
45 "link.href = URL.createObjectURL(new Blob(['potato']));" | |
46 "link.target = '_blank';" | |
47 "link.id = 'click_me';" | |
48 "</script></body>")); | |
49 | |
50 // Click the link. | |
51 ShellAddedObserver new_shell_observer; | |
52 EXPECT_TRUE( | |
53 ExecuteScript(shell(), "document.getElementById('click_me').click()")); | |
54 | |
55 // The link should create a new tab. | |
56 Shell* new_shell = new_shell_observer.GetShell(); | |
57 WebContents* new_contents = new_shell->web_contents(); | |
58 WaitForLoadStop(new_contents); | |
59 | |
60 EXPECT_TRUE( | |
61 base::MatchPattern(new_contents->GetVisibleURL().spec(), "blob:null/*")); | |
62 std::string page_content; | |
63 EXPECT_TRUE(ExecuteScriptAndExtractString( | |
64 new_contents, | |
65 "domAutomationController.send(" | |
66 " document.origin + ' ' + document.body.innerText);", | |
67 &page_content)); | |
68 EXPECT_EQ("null potato", page_content); | |
69 } | |
70 | |
71 IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlob) { | |
72 // Using an http page, click a link that opens a popup to a same-origin blob. | |
73 GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html"); | |
74 url::Origin origin(url); | |
75 NavigateToURL(shell(), url); | |
76 | |
77 ShellAddedObserver new_shell_observer; | |
78 EXPECT_TRUE(ExecuteScript( | |
79 shell(), | |
80 "var link = document.body.appendChild(document.createElement('a'));" | |
81 "link.innerText = 'Click Me!';" | |
82 "link.href = URL.createObjectURL(new Blob(['potato']));" | |
83 "link.target = '_blank';" | |
84 "link.click()")); | |
85 | |
86 // The link should create a new tab. | |
87 Shell* new_shell = new_shell_observer.GetShell(); | |
88 WebContents* new_contents = new_shell->web_contents(); | |
89 WaitForLoadStop(new_contents); | |
90 | |
91 EXPECT_TRUE(base::MatchPattern(new_contents->GetVisibleURL().spec(), | |
92 "blob:" + origin.Serialize() + "/*")); | |
93 std::string page_content; | |
94 EXPECT_TRUE(ExecuteScriptAndExtractString( | |
95 new_contents, | |
96 "domAutomationController.send(" | |
97 " document.origin + ' ' + document.body.innerText);", | |
98 &page_content)); | |
99 EXPECT_EQ(origin.Serialize() + " potato", page_content); | |
100 } | |
101 | |
102 // Regression test for https://crbug.com/646278 | |
103 IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlobWithAuthority) { | |
104 // Using an http page, click a link that opens a popup to a same-origin blob | |
105 // that has a spoofy authority section applied. This should be blocked. | |
106 GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html"); | |
107 url::Origin origin(url); | |
108 NavigateToURL(shell(), url); | |
109 | |
110 ShellAddedObserver new_shell_observer; | |
111 EXPECT_TRUE(ExecuteScript( | |
112 shell(), | |
113 "var link = document.body.appendChild(document.createElement('a'));" | |
114 "link.innerText = 'Click Me!';" | |
115 "link.href = 'blob:http://spoof.com@' + " | |
116 " URL.createObjectURL(new Blob(['potato'])).split('://')[1];" | |
117 "link.target = '_blank';" | |
118 "link.click()")); | |
119 | |
120 // The link should create a new tab. | |
121 Shell* new_shell = new_shell_observer.GetShell(); | |
122 WebContents* new_contents = new_shell->web_contents(); | |
123 WaitForLoadStop(new_contents); | |
124 | |
125 // The spoofy URL should not be shown to the user. | |
126 EXPECT_FALSE( | |
127 base::MatchPattern(new_contents->GetVisibleURL().spec(), "*spoof*")); | |
128 // The currently implemented behavior is that the URL gets rewritten to | |
129 // about:blank. | |
130 EXPECT_EQ("about:blank", new_contents->GetVisibleURL().spec()); | |
131 std::string page_content; | |
132 EXPECT_TRUE(ExecuteScriptAndExtractString( | |
133 new_contents, | |
134 "domAutomationController.send(" | |
135 " document.origin + ' ' + document.body.innerText);", | |
136 &page_content)); | |
137 EXPECT_EQ(origin.Serialize() + " ", page_content); // no potato | |
138 } | |
139 | |
140 // Regression test for https://crbug.com/646278 | |
141 IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, ReplaceStateToAddAuthorityToBlob) { | |
142 // history.replaceState from a validly loaded blob URL shouldn't allow adding | |
143 // an authority to the inner URL, which would be spoofy. | |
144 GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html"); | |
145 url::Origin origin(url); | |
146 NavigateToURL(shell(), url); | |
147 | |
148 ShellAddedObserver new_shell_observer; | |
149 EXPECT_TRUE(ExecuteScript( | |
150 shell(), | |
151 "var spoof_fn = function () {\n" | |
152 " host_port = document.origin.split('://')[1];\n" | |
153 " spoof_url = 'blob:http://spoof.com@' + host_port + '/abcd';\n" | |
154 " window.history.replaceState({}, '', spoof_url);\n" | |
155 "};\n" | |
156 "args = ['<body>potato<scr', 'ipt>(', spoof_fn, ')();</scri', 'pt>'];\n" | |
157 "b = new Blob(args, {type: 'text/html'});" | |
158 "window.open(URL.createObjectURL(b));")); | |
159 | |
160 Shell* new_shell = new_shell_observer.GetShell(); | |
161 WebContents* new_contents = new_shell->web_contents(); | |
162 WaitForLoadStop(new_contents); | |
163 | |
164 // The spoofy URL should not be shown to the user. | |
165 EXPECT_FALSE( | |
166 base::MatchPattern(new_contents->GetVisibleURL().spec(), "*spoof*")); | |
167 | |
168 // The currently implemented behavior is that the URL gets rewritten to | |
169 // about:blank. The content of the page stays the same. | |
170 EXPECT_EQ("about:blank", new_contents->GetVisibleURL().spec()); | |
171 std::string page_content; | |
172 EXPECT_TRUE(ExecuteScriptAndExtractString( | |
173 new_contents, | |
174 "domAutomationController.send(" | |
175 " document.origin + ' ' + document.body.innerText);", | |
176 &page_content)); | |
177 EXPECT_EQ(origin.Serialize() + " potato", page_content); | |
178 | |
179 // TODO(nick): Currently, window.location still reflects the spoof URL. | |
180 // This seems unfortunate -- can we fix it? | |
181 std::string window_location; | |
182 EXPECT_TRUE(ExecuteScriptAndExtractString( | |
183 new_contents, "domAutomationController.send(window.location.href);", | |
184 &window_location)); | |
185 EXPECT_TRUE(base::MatchPattern(window_location, "*spoof*")); | |
186 } | |
187 | |
188 } // namespace content | |
OLD | NEW |