OLD | NEW |
(Empty) | |
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "base/macros.h" |
| 6 #include "base/strings/pattern.h" |
| 7 #include "build/build_config.h" |
| 8 #include "content/browser/web_contents/web_contents_impl.h" |
| 9 #include "content/public/test/browser_test_utils.h" |
| 10 #include "content/public/test/content_browser_test.h" |
| 11 #include "content/public/test/content_browser_test_utils.h" |
| 12 #include "content/public/test/test_utils.h" |
| 13 #include "content/shell/browser/shell.h" |
| 14 #include "content/test/content_browser_test_utils_internal.h" |
| 15 #include "net/dns/mock_host_resolver.h" |
| 16 #include "net/test/embedded_test_server/embedded_test_server.h" |
| 17 #include "url/gurl.h" |
| 18 #include "url/origin.h" |
| 19 |
| 20 namespace content { |
| 21 |
| 22 // Tests of the blob: URL scheme. |
| 23 class BlobUrlBrowserTest : public ContentBrowserTest { |
| 24 public: |
| 25 BlobUrlBrowserTest() {} |
| 26 |
| 27 void SetUpOnMainThread() override { |
| 28 host_resolver()->AddRule("*", "127.0.0.1"); |
| 29 ASSERT_TRUE(embedded_test_server()->Start()); |
| 30 SetupCrossSiteRedirector(embedded_test_server()); |
| 31 } |
| 32 |
| 33 private: |
| 34 DISALLOW_COPY_AND_ASSIGN(BlobUrlBrowserTest); |
| 35 }; |
| 36 |
| 37 IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToUniqueOriginBlob) { |
| 38 // Use a data URL to obtain a test page in a unique origin. The page |
| 39 // contains a link to a "blob:null/SOME-GUID-STRING" URL. |
| 40 NavigateToURL( |
| 41 shell(), |
| 42 GURL("data:text/html,<body><script>" |
| 43 "var link = document.body.appendChild(document.createElement('a'));" |
| 44 "link.innerText = 'Click Me!';" |
| 45 "link.href = URL.createObjectURL(new Blob(['potato']));" |
| 46 "link.target = '_blank';" |
| 47 "link.id = 'click_me';" |
| 48 "</script></body>")); |
| 49 |
| 50 // Click the link. |
| 51 ShellAddedObserver new_shell_observer; |
| 52 EXPECT_TRUE( |
| 53 ExecuteScript(shell(), "document.getElementById('click_me').click()")); |
| 54 |
| 55 // The link should create a new tab. |
| 56 Shell* new_shell = new_shell_observer.GetShell(); |
| 57 WebContents* new_contents = new_shell->web_contents(); |
| 58 WaitForLoadStop(new_contents); |
| 59 |
| 60 EXPECT_TRUE( |
| 61 base::MatchPattern(new_contents->GetVisibleURL().spec(), "blob:null/*")); |
| 62 std::string page_content; |
| 63 EXPECT_TRUE(ExecuteScriptAndExtractString( |
| 64 new_contents, |
| 65 "domAutomationController.send(" |
| 66 " document.origin + ' ' + document.body.innerText);", |
| 67 &page_content)); |
| 68 EXPECT_EQ("null potato", page_content); |
| 69 } |
| 70 |
| 71 IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlob) { |
| 72 // Using an http page, click a link that opens a popup to a same-origin blob. |
| 73 GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html"); |
| 74 url::Origin origin(url); |
| 75 NavigateToURL(shell(), url); |
| 76 |
| 77 ShellAddedObserver new_shell_observer; |
| 78 EXPECT_TRUE(ExecuteScript( |
| 79 shell(), |
| 80 "var link = document.body.appendChild(document.createElement('a'));" |
| 81 "link.innerText = 'Click Me!';" |
| 82 "link.href = URL.createObjectURL(new Blob(['potato']));" |
| 83 "link.target = '_blank';" |
| 84 "link.click()")); |
| 85 |
| 86 // The link should create a new tab. |
| 87 Shell* new_shell = new_shell_observer.GetShell(); |
| 88 WebContents* new_contents = new_shell->web_contents(); |
| 89 WaitForLoadStop(new_contents); |
| 90 |
| 91 EXPECT_TRUE(base::MatchPattern(new_contents->GetVisibleURL().spec(), |
| 92 "blob:" + origin.Serialize() + "/*")); |
| 93 std::string page_content; |
| 94 EXPECT_TRUE(ExecuteScriptAndExtractString( |
| 95 new_contents, |
| 96 "domAutomationController.send(" |
| 97 " document.origin + ' ' + document.body.innerText);", |
| 98 &page_content)); |
| 99 EXPECT_EQ(origin.Serialize() + " potato", page_content); |
| 100 } |
| 101 |
| 102 // Regression test for https://crbug.com/646278 |
| 103 IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, LinkToSameOriginBlobWithAuthority) { |
| 104 // Using an http page, click a link that opens a popup to a same-origin blob |
| 105 // that has a spoofy authority section applied. This should be blocked. |
| 106 GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html"); |
| 107 url::Origin origin(url); |
| 108 NavigateToURL(shell(), url); |
| 109 |
| 110 ShellAddedObserver new_shell_observer; |
| 111 EXPECT_TRUE(ExecuteScript( |
| 112 shell(), |
| 113 "var link = document.body.appendChild(document.createElement('a'));" |
| 114 "link.innerText = 'Click Me!';" |
| 115 "link.href = 'blob:http://spoof.com@' + " |
| 116 " URL.createObjectURL(new Blob(['potato'])).split('://')[1];" |
| 117 "link.target = '_blank';" |
| 118 "link.click()")); |
| 119 |
| 120 // The link should create a new tab. |
| 121 Shell* new_shell = new_shell_observer.GetShell(); |
| 122 WebContents* new_contents = new_shell->web_contents(); |
| 123 WaitForLoadStop(new_contents); |
| 124 |
| 125 // The spoofy URL should not be shown to the user. |
| 126 EXPECT_FALSE( |
| 127 base::MatchPattern(new_contents->GetVisibleURL().spec(), "*spoof*")); |
| 128 // The currently implemented behavior is that the URL gets rewritten to |
| 129 // about:blank. |
| 130 EXPECT_EQ("about:blank", new_contents->GetVisibleURL().spec()); |
| 131 std::string page_content; |
| 132 EXPECT_TRUE(ExecuteScriptAndExtractString( |
| 133 new_contents, |
| 134 "domAutomationController.send(" |
| 135 " document.origin + ' ' + document.body.innerText);", |
| 136 &page_content)); |
| 137 EXPECT_EQ(origin.Serialize() + " ", page_content); // no potato |
| 138 } |
| 139 |
| 140 // Regression test for https://crbug.com/646278 |
| 141 IN_PROC_BROWSER_TEST_F(BlobUrlBrowserTest, ReplaceStateToAddAuthorityToBlob) { |
| 142 // history.replaceState from a validly loaded blob URL shouldn't allow adding |
| 143 // an authority to the inner URL, which would be spoofy. |
| 144 GURL url = embedded_test_server()->GetURL("chromium.org", "/title1.html"); |
| 145 url::Origin origin(url); |
| 146 NavigateToURL(shell(), url); |
| 147 |
| 148 ShellAddedObserver new_shell_observer; |
| 149 EXPECT_TRUE(ExecuteScript( |
| 150 shell(), |
| 151 "var spoof_fn = function () {\n" |
| 152 " host_port = document.origin.split('://')[1];\n" |
| 153 " spoof_url = 'blob:http://spoof.com@' + host_port + '/abcd';\n" |
| 154 " window.history.replaceState({}, '', spoof_url);\n" |
| 155 "};\n" |
| 156 "args = ['<body>potato<scr', 'ipt>(', spoof_fn, ')();</scri', 'pt>'];\n" |
| 157 "b = new Blob(args, {type: 'text/html'});" |
| 158 "window.open(URL.createObjectURL(b));")); |
| 159 |
| 160 Shell* new_shell = new_shell_observer.GetShell(); |
| 161 WebContents* new_contents = new_shell->web_contents(); |
| 162 WaitForLoadStop(new_contents); |
| 163 |
| 164 // The spoofy URL should not be shown to the user. |
| 165 EXPECT_FALSE( |
| 166 base::MatchPattern(new_contents->GetVisibleURL().spec(), "*spoof*")); |
| 167 |
| 168 // The currently implemented behavior is that the URL gets rewritten to |
| 169 // about:blank. The content of the page stays the same. |
| 170 EXPECT_EQ("about:blank", new_contents->GetVisibleURL().spec()); |
| 171 std::string page_content; |
| 172 EXPECT_TRUE(ExecuteScriptAndExtractString( |
| 173 new_contents, |
| 174 "domAutomationController.send(" |
| 175 " document.origin + ' ' + document.body.innerText);", |
| 176 &page_content)); |
| 177 EXPECT_EQ(origin.Serialize() + " potato", page_content); |
| 178 |
| 179 // TODO(nick): Currently, window.location still reflects the spoof URL. |
| 180 // This seems unfortunate -- can we fix it? |
| 181 std::string window_location; |
| 182 EXPECT_TRUE(ExecuteScriptAndExtractString( |
| 183 new_contents, "domAutomationController.send(window.location.href);", |
| 184 &window_location)); |
| 185 EXPECT_TRUE(base::MatchPattern(window_location, "*spoof*")); |
| 186 } |
| 187 |
| 188 } // namespace content |
OLD | NEW |